Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: devise
date: 2019-02-07
url: https://github.com/plataformatec/devise/issues/4981
cve: 2019-5421
title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable
  module
description: |
  Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a
  time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts`
  within the `Devise::Models::Lockable` class not being concurrency safe.
patched_versions:
- ">= 4.6.0"