CVE-2021-43177 (devise-two-factor): Improper one time password handling in devise-two-factor

Improper one time password handling in devise-two-factor

Published: April 07, 2022

SECURITY IDENTIFIERS

CVE: CVE-2021-43177 (NVD)
GHSA: GHSA-jm35-h8q2-73mp
Vendor Advisory: https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp

GEM

devise-two-factor

SEVERITY

CVSS v3.x: 5.3 (Medium)

PATCHED VERSIONS

>= 4.0.2

DESCRIPTION

Impact

As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval.

Patches

This vulnerability has been patched in version 4.0.2 which was released on March 24th, 2022. Individuals using this package are strongly encouraged to upgrade as soon as possible.

CVE-2015-7225 (NVD)
https://github.com/tinfoil/devise-two-factor/issues/106

RubySec