Search CVE reports
1 – 3 of 3 results
CVE-2024-8796
Medium prioritySome fixes available 2 of 3
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to...
1 affected package
ruby-devise-two-factor
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby-devise-two-factor | Not affected | Fixed | Fixed | — | Vulnerable |
CVE-2021-43177
Medium prioritySome fixes available 2 of 5
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector:...
1 affected package
ruby-devise-two-factor
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby-devise-two-factor | Not affected | Fixed | Fixed | Not in release | Vulnerable |
CVE-2015-7225
Medium priorityTinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target...
1 affected package
ruby-devise-two-factor
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby-devise-two-factor | — | — | — | Not in release | Not affected |