VDB
CVE-2024-8796
CVE-2024-8796
PUBLISHED
CVSS 6 MEDIUM
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
EPSS 0.25% · 48.0th percentile
Risk Scores
CVSS 4.0
6
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Score
0.25%
48.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| tinfoilsecurity | devise-two-factor | 4.0.0, 1.0.0 |
| devise-two-factor | devise-two-factor | 1.0.0, 4.0.0 |
| RubyGems | devise-two-factor | 4.0.0, 1.0.0 |
Exploit Intelligence
- https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2 (circl)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
- .bundler-audit.yml (github-poc)
Timeline
- Sep 17, 2024 CVE Published
- Sep 18, 2024 EPSS Score
- Sep 20, 2024 CVE Updated
- Oct 5, 2024 Coalition ESS Score
- Oct 8, 2024 EPSS Score
- Oct 27, 2024 EPSS Score
- Nov 16, 2024 EPSS Score
- Dec 6, 2024 EPSS Score
- Dec 26, 2024 EPSS Score
- Jan 15, 2025 EPSS Score
- Feb 3, 2025 EPSS Score
- Feb 23, 2025 EPSS Score
References
- https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2 vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-8796 advisory
- https://github.com/devise-two-factor/devise-two-factor/commit/cc6f34423d9c6af9f3e02be478c3c40dc7462e19 url
- https://github.com/devise-two-factor/devise-two-factor package