5.3 CVE-2015-7225
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
https://nvd.nist.gov/vuln/detail/CVE-2015-7225
Categories
CWE-254
References
af854a3a-2127-422b-91ae-364da2661108
| http://www.openwall.com/lists/oss-security/2015/06/20/4 Mailing List VDB Entry |
| http://www.openwall.com/lists/oss-security/2015/09/17/2 Mailing List VDB Entry |
| http://www.securityfocus.com/bid/76789 Third Party Advisory VDB Entry |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466 Mailing List Third Party Advisory |
| https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md Third Party Advisory |
| https://github.com/tinfoil/devise-two-factor/issues/45#issuecomment-139335608 Third Party Advisory |
cve@mitre.org
| http://www.openwall.com/lists/oss-security/2015/06/20/4 Mailing List VDB Entry |
| http://www.openwall.com/lists/oss-security/2015/09/17/2 Mailing List VDB Entry |
| http://www.securityfocus.com/bid/76789 Third Party Advisory VDB Entry |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466 Mailing List Third Party Advisory |
| https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md Third Party Advisory |
| https://github.com/tinfoil/devise-two-factor/issues/45#issuecomment-139335608 Third Party Advisory |
CPE
| cpe | start | end |
|---|---|---|
| Configuration 1 | ||
| cpe:2.3:a:tinfoilsecurity:devise-two-factor:*:*:*:*:*:*:*:* | <= 1.1.0 | |
REMEDIATION
EXPLOITS
Exploit-db.com
| id | description | date | |
|---|---|---|---|
| No known exploits | |||
POC Github
| Url |
|---|
| No known exploits |
Other Nist (github, ...)
| Url |
|---|
| No known exploits |
CAPEC
Common Attack Pattern Enumerations and Classifications
| id | description | severity |
|---|---|---|
| No entry | ||
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
