Skip to content

devise Time-of-check Time-of-use Race Condition vulnerability

Moderate severity GitHub Reviewed Published Mar 19, 2019 to the GitHub Advisory Database • Updated Jan 23, 2023

Package

bundler devise (RubyGems)

Affected versions

< 4.6.0

Patched versions

4.6.0

Description

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

References

Published to the GitHub Advisory Database Mar 19, 2019
Reviewed Jun 16, 2020
Last updated Jan 23, 2023

Severity

Moderate

Weaknesses

CVE ID

CVE-2019-5421

GHSA ID

GHSA-73rf-6mrf-759q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.