devise Time-of-check Time-of-use Race Condition vulnerability

CVE-2019-5421 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2019-03-19 18:03:25 UTC
Updated: 2023-01-23 20:46:52 UTC
GitHub reviewed: 2020-06-16 21:21:17 UTC

EPSS Score

Score	Percentile
0.23%	45.50%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-73rf-6mrf-759q ↗
CVE	CVE-2019-5421 ↗

CWEs

CWE id	Name
CWE-367	Time-of-check Time-of-use (TOCTOU) Race Condition

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
rubygems	devise	< 4.6.0	4.6.0	—

References

cvelogic Threat Intelligence