CVE-2019-5421 - OpenCVE

Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Plataformatec	Devise

Configuration 1 [-]

cpe:2.3:a:plataformatec:devise:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/plataformatec/devise/issues/4981	Exploit Issue Tracking Third Party Advisory
https://github.com/plataformatec/devise/pull/4996	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2019-04-03T14:21:37

Updated: 2019-04-03T14:21:37

Reserved: 2019-01-04T00:00:00

Link: CVE-2019-5421

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-04-03T15:29:01.663

Modified: 2020-10-16T19:17:22.553

Link: CVE-2019-5421

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Devise ruby gem", "vendor": "Plataformatec", "versions": [{"status": "affected", "version": "4.5.0 and earlier using the lockable module"}]}], "datePublic": "2018-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-03T14:21:37", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/plataformatec/devise/issues/4981"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/plataformatec/devise/pull/4996"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5421", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Devise ruby gem", "version": {"version_data": [{"version_value": "4.5.0 and earlier using the lockable module"}]}}]}, "vendor_name": "Plataformatec"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/plataformatec/devise/issues/4981", "refsource": "MISC", "url": "https://github.com/plataformatec/devise/issues/4981"}, {"name": "https://github.com/plataformatec/devise/pull/4996", "refsource": "MISC", "url": "https://github.com/plataformatec/devise/pull/4996"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5421", "datePublished": "2019-04-03T14:21:37", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2019-04-03T14:21:37", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plataformatec:devise:*:*:*:*:*:*:*:*", "matchCriteriaId": "F07D86F3-1A2C-4562-830E-F88779AF55B7", "versionEndIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later."}, {"lang": "es", "value": "Mediante la utilizaci\u00f3n del m\u00f3dulo bloqueable, Plataformatec Devise, en versiones 4.5.0 y anteriores, contiene una vulnerabilidad CWE-367 en la clase \"Devise::Models::Lockable\", m\u00e1s espec\u00edficamente en el m\u00e9todo \"#increment_failed_attempts\". La ubicaci\u00f3n del archivo lib/devise/models/lockable.rb, que puede resultar en peticiones m\u00faltiples concurrentes, puede impedir que un atacante sea bloqueado durante ataques de fuerza bruta. Este ataque parece ser explotable mediante la conectividad de red y ataques de fuerza bruta. Esta vulnerabilidad parece haber sido solucionada en versiones 4.6.0 y posteriores."}], "id": "CVE-2019-5421", "lastModified": "2020-10-16T19:17:22.553", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-03T15:29:01.663", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/plataformatec/devise/issues/4981"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/plataformatec/devise/pull/4996"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "support@hackerone.com", "type": "Secondary"}]}