Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
Published: January 18, 2016
SECURITY IDENTIFIERS
- CVE: CVE-2015-8314 (NVD)
- GHSA: GHSA-746g-3gfp-hfhw
- Vendor Advisory: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
>= 3.5.4
DESCRIPTION
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.