Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: devise
date: 2016-01-18
url: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
cve: 2015-8314
title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
description: |
  Devise version before 3.5.4 uses cookies to implement a "Remember me"
  functionality. However, it generates the same cookie for all devices. If an
  attacker manages to steal a remember me cookie and the user does not change
  the password frequently, the cookie can be used to gain access to the
  application indefinitely.
patched_versions:
- ">= 3.5.4"