Sha256: 17933a935581a42c9d283f94844e3b0fe49dbeeac8a14bfa2cb1db375f4ad8ba

Contents?: true

Size: 797 Bytes

Versions: 6

Compression:

Stored size: 797 Bytes

Contents

---
gem: devise-two-factor
cve: 2015-7225
url: http://www.openwall.com/lists/oss-security/2015/09/06/2
title: |
  devise-two-factor 1.1.0 and earlier vulnerable to replay attacks
date: 2015-09-17
description: |
  A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local
  attackers to shoulder-surf a user's TOTP verification code and use it to
  login after the user has authenticated. 

  By not "burning" a previously used TOTP, devise-two-factor allows a narrow
  window of opportunity (aka the timestep period) where an attacker can re-use a
  verification code. 
  
  Should an attacker possess a given user's authentication 
  credentials, this flaw effectively defeats two-factor authentication for the 
  duration of the timestep. 

patched_versions:
  - ">= 2.0.0"

Version data entries

6 entries across 6 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml
bundler-audit-0.6.1 data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml
bundler-audit-0.6.0 data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml
bundler-audit-0.5.0 data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml