Fluid Attacks Database

Description

As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ruby-devise-two-factor	=3.1.0-2 \|\| =4.0.0-1 \|\| =4.0.0-2 \|\| =4.0.0-2~bpo11+1 \|\| =4.0.2-1	-
rubygems	devise-two-factor	>=0 <4.0.2	4.0.2
debian 12	ruby-devise-two-factor	>=0 <4.0.2-1	4.0.2-1

Aliases

1. CVE-2021-431772. NVD-2021-431773. OSV-DEBIAN-2021-431774. OSV-2021-431775. GHSA-jm35-h8q2-73mp6. GCVE-2021-431777. SECURITY-TRACKER-CVE-2021-43177

References

1. https://github.com/tinfoil/devise-two-factor/security/advisories/GHSA-jm35-h8q2-73mp2. https://github.com/tinfoil/devise-two-factor/issues/1063. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise-two-factor/CVE-2021-43177.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.