MidnightBSD

Advisories for tinfoilsecurity

CVE-2015-7225 LOW

Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.

CVSS 2.0

Severity: LOW

Problem Type: CWE-254,

Products Affected

Vendor Product Version
tinfoilsecurity devise-two-factor *
CVE-2021-43177 LOW

As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-254,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
tinfoilsecurity devise-two-factor *
CVE-2024-0227

Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9
disclosure@synopsys.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.6 3.4

Products Affected

Vendor Product Version
tinfoilsecurity devise-two-factor *