RubySec

Providing security resources for the Ruby community

CVE-2019-5421 (devise): Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module

ADVISORIES

GEM

devise

SEVERITY

CVSS v3: 9.8

CVSS v2: 7.5

PATCHED VERSIONS

  • >= 4.6.0

DESCRIPTION

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.