Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: devise
date: 2016-01-18
cve: 2015-8314
title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
description: |
  Devise version before 3.5.4 uses cookies to implement a "Remember me"
  functionality. However, it generates the same cookie for all devices. If an
  attacker manages to steal a remember me cookie and the user does not change
  the password frequently, the cookie can be used to gain access to the
  application indefinitely.
- ">= 3.5.4"