CVE Vulnerabilities

CVE-2019-5421

Time-of-check Time-of-use (TOCTOU) Race Condition

Published: Apr 03, 2019 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
LOW

Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The Devise::Models::Lockable class, more specifically at the #increment_failed_attempts method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.

Weakness

The product checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

Affected Software

Name Vendor Start Version End Version
Devise Plataformatec * 4.5.0 (including)
Gitlab Ubuntu esm-apps/xenial *
Gitlab Ubuntu xenial *
Ruby-devise Ubuntu bionic *
Ruby-devise Ubuntu cosmic *
Ruby-devise Ubuntu devel *
Ruby-devise Ubuntu disco *
Ruby-devise Ubuntu eoan *
Ruby-devise Ubuntu esm-apps/bionic *
Ruby-devise Ubuntu focal *
Ruby-devise Ubuntu groovy *
Ruby-devise Ubuntu hirsute *
Ruby-devise Ubuntu impish *
Ruby-devise Ubuntu jammy *
Ruby-devise Ubuntu kinetic *
Ruby-devise Ubuntu lunar *
Ruby-devise Ubuntu mantic *
Ruby-devise Ubuntu noble *
Ruby-devise Ubuntu oracular *

Potential Mitigations

References