An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Devise | Plataformatec | * | 4.7.1 (excluding) |
| Ruby-devise | Ubuntu | bionic | * |
| Ruby-devise | Ubuntu | disco | * |
| Ruby-devise | Ubuntu | eoan | * |
| Ruby-devise | Ubuntu | esm-apps/bionic | * |
| Ruby-devise | Ubuntu | esm-apps/focal | * |
| Ruby-devise | Ubuntu | esm-apps/jammy | * |
| Ruby-devise | Ubuntu | esm-apps/noble | * |
| Ruby-devise | Ubuntu | esm-apps/xenial | * |
| Ruby-devise | Ubuntu | focal | * |
| Ruby-devise | Ubuntu | groovy | * |
| Ruby-devise | Ubuntu | hirsute | * |
| Ruby-devise | Ubuntu | impish | * |
| Ruby-devise | Ubuntu | jammy | * |
| Ruby-devise | Ubuntu | kinetic | * |
| Ruby-devise | Ubuntu | lunar | * |
| Ruby-devise | Ubuntu | mantic | * |
| Ruby-devise | Ubuntu | noble | * |
| Ruby-devise | Ubuntu | oracular | * |
| Ruby-devise | Ubuntu | plucky | * |
| Ruby-devise | Ubuntu | trusty | * |
| Ruby-devise | Ubuntu | xenial | * |
References
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
- https://github.com/plataformatec/devise/issues/5071
- https://github.com/plataformatec/devise/pull/5132
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
- https://github.com/plataformatec/devise/issues/5071
- https://github.com/plataformatec/devise/pull/5132