GHSA-746g-3gfp-hfhw

Suggest an improvement
Source
https://github.com/advisories/GHSA-746g-3gfp-hfhw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-746g-3gfp-hfhw/GHSA-746g-3gfp-hfhw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-746g-3gfp-hfhw
Aliases
Published
2023-01-26T23:54:07Z
Modified
2024-02-15T05:33:40.581336Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Details

Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

Database specific
{
    "nvd_published_at": "2023-12-12T17:15:07Z",
    "cwe_ids": [
        "CWE-288",
        "CWE-312"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-26T23:54:07Z"
}
References

Affected packages

RubyGems / devise

Package

Name
devise
Purl
pkg:gem/devise

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.5.4

Affected versions

0.*

0.1.0
0.1.1
0.2.0
0.2.1
0.2.2
0.2.3
0.3.0
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.0
0.6.1
0.6.2
0.6.3
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.1.pre
1.1.pre2
1.1.pre3
1.1.pre4
1.1.rc0
1.1.rc1
1.1.rc2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.rc
1.2.rc2
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4.1
1.4.2
1.4.3
1.4.5
1.4.7
1.4.8
1.4.9
1.5.0.rc1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4

2.*

2.0.0.rc
2.0.0.rc2
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.1.0.rc
2.1.0.rc2
2.1.0
2.1.2
2.1.3
2.1.4
2.2.0.rc
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8

3.*

3.0.0.rc
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0.rc2
3.1.0
3.1.1
3.1.2
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.3.0
3.4.0
3.4.1
3.5.1
3.5.2
3.5.3