CVE-2019-5421 (devise): Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module

February 7th, 2019

ADVISORIES

CVE-2019-5421 (NVD)
GHSA-73rf-6mrf-759q
Vendor Advisory

GEM

devise

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

>= 4.6.0

DESCRIPTION

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

RubySec

CVE-2019-5421 (devise): Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

Recent Advisories