gsd-2015-8314
Vulnerability from gsd
Modified
2016-01-18 00:00
Details
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
Aliases
Aliases
CVE-2015-8314


To clipboard 

{
  "GSD": {
    "alias": "CVE-2015-8314",
    "id": "GSD-2015-8314"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "devise",
            "purl": "pkg:gem/devise"
          }
        }
      ],
      "aliases": [
        "CVE-2015-8314",
        "GHSA-746g-3gfp-hfhw"
      ],
      "details": "Devise version before 3.5.4 uses cookies to implement a \"Remember me\"\nfunctionality. However, it generates the same cookie for all devices. If an\nattacker manages to steal a remember me cookie and the user does not change\nthe password frequently, the cookie can be used to gain access to the\napplication indefinitely.\n",
      "id": "GSD-2015-8314",
      "modified": "2016-01-18T00:00:00.000Z",
      "published": "2016-01-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/"
        }
      ],
      "schema_version": "1.4.0",
      "summary": "Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2015-8314",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://rubysec.com/advisories/CVE-2015-8314/",
            "refsource": "MISC",
            "url": "https://rubysec.com/advisories/CVE-2015-8314/"
          },
          {
            "name": "https://github.com/advisories/GHSA-746g-3gfp-hfhw",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-746g-3gfp-hfhw"
          },
          {
            "name": "https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24",
            "refsource": "MISC",
            "url": "https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-8314",
      "date": "2016-01-18",
      "description": "Devise version before 3.5.4 uses cookies to implement a \"Remember me\"\nfunctionality. However, it generates the same cookie for all devices. If an\nattacker manages to steal a remember me cookie and the user does not change\nthe password frequently, the cookie can be used to gain access to the\napplication indefinitely.\n",
      "gem": "devise",
      "ghsa": "746g-3gfp-hfhw",
      "patched_versions": [
        "\u003e= 3.5.4"
      ],
      "title": "Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie",
      "url": "http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c3.5.4",
          "affected_versions": "All versions before 3.5.4",
          "credit": "Alfredo Ramirez from VSR",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2016-01-18",
          "description": "Devise uses cookies to implement a remember-me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember-me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely. The bug can only be exploited if the attacker can steal cookies in the first place.",
          "fixed_versions": [
            "3.5.4"
          ],
          "identifier": "CVE-2015-8314",
          "identifiers": [
            "CVE-2015-8314"
          ],
          "package_slug": "gem/devise",
          "pubdate": "2016-01-18",
          "solution": "Upgrade to latest or apply patches.",
          "title": "Unauthorized Access Using remember-me Cookie",
          "urls": [
            "http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/",
            "https://gist.github.com/josevalim/924ce7cc4c0e5039fd79"
          ],
          "uuid": "c76bdaa0-dd5f-42c2-a3aa-fc03db30d138"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:heartcombo:devise:*:*:*:*:*:ruby:*:*",
                    "matchCriteriaId": "693703F3-9D16-4FB7-930F-0FD309D1D3F4",
                    "versionEndExcluding": "3.5.4",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access."
          },
          {
            "lang": "es",
            "value": "Devise gem anterior a 3.5.4 para Ruby maneja mal las cookies Recordarme para las sesiones, lo que puede permitir que un adversario obtenga acceso persistente no autorizado a la aplicaci\u00f3n."
          }
        ],
        "id": "CVE-2015-8314",
        "lastModified": "2023-12-14T20:34:05.650",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-12T17:15:07.450",
        "references": [
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/advisories/GHSA-746g-3gfp-hfhw"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24"
          },
          {
            "source": "cve@mitre.org",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://rubysec.com/advisories/CVE-2015-8314/"
          }
        ],
        "sourceIdentifier": "cve@mitre.org",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-312"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.