Advisories for Gem/Devise package

A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option (the default when using Confirmable with email changes). By sending two concurrent email change requests, an attacker can desynchronize the confirmation_token and unconfirmed_email fields. The confirmation token is sent to an email the attacker controls, but the unconfirmed_email in the database points …

An issue was discovered in Plataformatec Devise. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

Using the lockable module contains a vulnerability that can result in multiple concurrent requests can prevent an attacker from being blocked on brute force attacks.

Devise uses cookies to implement a remember-me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember-me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely. The bug can only be exploited if the attacker can steal cookies in the first place.

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made.

Using a specially crafted request, an attacker could trick the database type conversion code to return incorrect records. For some token values this could allow an attacker to bypass the proper checks and gain control of other accounts.