Skip to content

devise Time-of-check Time-of-use Race Condition vulnerability

Moderate severity GitHub Reviewed Published Mar 19, 2019 to the GitHub Advisory Database • Updated Jan 23, 2023

Package

bundler devise (RubyGems)

Affected versions

< 4.6.0

Patched versions

4.6.0

Description

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

References

Published to the GitHub Advisory Database Mar 19, 2019
Reviewed Jun 16, 2020
Last updated Jan 23, 2023

Severity

Moderate

EPSS score

0.338%
(72nd percentile)

Weaknesses

CVE ID

CVE-2019-5421

GHSA ID

GHSA-73rf-6mrf-759q

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.