Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: devise
date: 2019-09-08
cve: 2019-16109
title: Devise Gem for Ruby confirmation token validation with a blank string
description: |
  Devise before 4.7.1 confirms accounts upon receiving a request with a blank
  confirmation_token, if a database record has a blank value in the confirmation_token column.
  However, there is no scenario within Devise itself in which such database records would exist.
- ">= 4.7.1"