CVE-2024-8796

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
SNPSCNA
5.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
tinfoilsecuritydevise-two-factor
4.0.0 ≤
𝑥
< 6.0.0
tinfoilsecuritydevise-two-factor
1.0.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-devise-two-factor
bullseye
ignored
bookworm
ignored
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-devise-two-factor
questing
dne
plucky
not-affected
oracular
not-affected
noble
not-affected
jammy
Fixed 4.0.0-2ubuntu0.1~esm1
released
focal
Fixed 3.1.0-2ubuntu0.1~esm1
released
xenial
needed
Common Weakness Enumeration
References
https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2