CVE-2019-5421 - Vulnerability Details - OpenCVE

Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Plataformatec	Devise

Configuration 1 [-]

cpe:2.3:a:plataformatec:devise:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/plataformatec/devise/issues/4981
https://github.com/plataformatec/devise/pull/4996

History

No history.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2019-04-03T14:21:37

Updated: 2024-08-04T19:54:53.557Z

Reserved: 2019-01-04T00:00:00

Link: CVE-2019-5421

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-03T15:29:01.663

Modified: 2024-11-21T04:44:54.277

Link: CVE-2019-5421

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Devise ruby gem", "vendor": "Plataformatec", "versions": [{"status": "affected", "version": "4.5.0 and earlier using the lockable module"}]}], "datePublic": "2018-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "description": "Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-04-03T14:21:37", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/plataformatec/devise/issues/4981"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/plataformatec/devise/pull/4996"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-5421", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Devise ruby gem", "version": {"version_data": [{"version_value": "4.5.0 and earlier using the lockable module"}]}}]}, "vendor_name": "Plataformatec"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/plataformatec/devise/issues/4981", "refsource": "MISC", "url": "https://github.com/plataformatec/devise/issues/4981"}, {"name": "https://github.com/plataformatec/devise/pull/4996", "refsource": "MISC", "url": "https://github.com/plataformatec/devise/pull/4996"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:54:53.557Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/plataformatec/devise/issues/4981"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/plataformatec/devise/pull/4996"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-5421", "datePublished": "2019-04-03T14:21:37", "dateReserved": "2019-01-04T00:00:00", "dateUpdated": "2024-08-04T19:54:53.557Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:plataformatec:devise:*:*:*:*:*:*:*:*", "matchCriteriaId": "F07D86F3-1A2C-4562-830E-F88779AF55B7", "versionEndIncluding": "4.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later."}, {"lang": "es", "value": "Mediante la utilizaci\u00f3n del m\u00f3dulo bloqueable, Plataformatec Devise, en versiones 4.5.0 y anteriores, contiene una vulnerabilidad CWE-367 en la clase \"Devise::Models::Lockable\", m\u00e1s espec\u00edficamente en el m\u00e9todo \"#increment_failed_attempts\". La ubicaci\u00f3n del archivo lib/devise/models/lockable.rb, que puede resultar en peticiones m\u00faltiples concurrentes, puede impedir que un atacante sea bloqueado durante ataques de fuerza bruta. Este ataque parece ser explotable mediante la conectividad de red y ataques de fuerza bruta. Esta vulnerabilidad parece haber sido solucionada en versiones 4.6.0 y posteriores."}], "id": "CVE-2019-5421", "lastModified": "2024-11-21T04:44:54.277", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-03T15:29:01.663", "references": [{"source": "support@hackerone.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/plataformatec/devise/issues/4981"}, {"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/plataformatec/devise/pull/4996"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/plataformatec/devise/issues/4981"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/plataformatec/devise/pull/4996"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-307"}], "source": "nvd@nist.gov", "type": "Primary"}]}