Homepage
About Snyk

Non Unique Authentication Cookie Values Affecting devise package, versions <3.5.4

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.06% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-DEVISE-20252
  • published 17 Jan 2016
  • disclosed 17 Jan 2016
  • credit Alfredo Ramirez
Report a new vulnerability Found a mistake?

Introduced: 17 Jan 2016

CVE-2015-8314 Open this link in a new tab
CWE-330 Open this link in a new tab

How to fix?

Upgrade devise to version 3.5.4 or higher.

Overview

devise is an authentication framework for Rails with Warden.

Affected versions implement the 'remember me' functionality by using the same cookie for the user across all their devices. This increases the chance of the user identity being stolen. Furthermore, it does not allow to selectively revoke a specific cookie value, forcing 'all or none' if the user wishes to sign out. The fix introduces a timestamp to the cookie value, making it unique per device.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
4.8 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    High
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    None
Expand this section

NVD

7.5 high