Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: devise
date: 2019-09-08
url: https://github.com/plataformatec/devise/issues/5071
cve: 2019-16109
title: Devise Gem for Ruby confirmation token validation with a blank string
description: |
  Devise before 4.7.1 confirms accounts upon receiving a request with a blank
  confirmation_token, if a database record has a blank value in the confirmation_token column.
  However, there is no scenario within Devise itself in which such database records would exist.
patched_versions:
- ">= 4.7.1"