RubySec

Providing security resources for the Ruby community

CVE-2015-8314 (devise): Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie

ADVISORIES

GEM

devise

PATCHED VERSIONS

  • >= 3.5.4

DESCRIPTION

Devise version before 3.5.4 uses cookies to implement a “Remember me” functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.