First published: Wed Apr 03 2019(Updated: )
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/models/lockable.rb that can result in Multiple concurrent requests can prevent an attacker from being blocked on brute force attacks. This attack appear to be exploitable via Network connectivity - brute force attacks. This vulnerability appears to have been fixed in 4.6.0 and later.
Credit: support@hackerone.com support@hackerone.com
Affected Software | Affected Version | How to fix |
---|---|---|
Plataformatec Devise | <=4.5.0 | |
<=4.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-5421 is a vulnerability in Plataformatec Devise version 4.5.0 and earlier using the lockable module that allows for multiple concurrent requests to increment the failed login attempts.
CVE-2019-5421 has a severity rating of 9.8, which is considered critical.
CVE-2019-5421 is associated with CWE-367.
More information about CVE-2019-5421 can be found at the following references: [Reference 1](https://github.com/plataformatec/devise/issues/4981), [Reference 2](https://github.com/plataformatec/devise/pull/4996).
To fix CVE-2019-5421, it is recommended to update Plataformatec Devise to a version that is later than 4.5.0.