Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Published: February 07, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-5421 (NVD)
- GHSA: GHSA-73rf-6mrf-759q
- Vendor Advisory: https://github.com/plataformatec/devise/issues/4981
GEM
SEVERITY
PATCHED VERSIONS
>= 4.6.0
DESCRIPTION
Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a
time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts
within the Devise::Models::Lockable class not being concurrency safe.