Source: ruby-devise Version: 4.5.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/plataformatec/devise/issues/4981
Hi, The following vulnerability was published for ruby-devise. CVE-2019-5421[0]: | Plataformatec Devise version 4.5.0 and earlier, using the lockable | module contains a CWE-367 vulnerability in The | `Devise::Models::Lockable` class, more specifically at the | `#increment_failed_attempts` method. File location: | lib/devise/models/lockable.rb that can result in Multiple concurrent | requests can prevent an attacker from being blocked on brute force | attacks. This attack appear to be exploitable via Network connectivity | - brute force attacks. This vulnerability appears to have been fixed | in 4.6.0 and later. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5421 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5421 [1] https://github.com/plataformatec/devise/issues/4981 [2] https://github.com/plataformatec/devise/pull/4996 Please adjust the affected versions in the BTS as needed. Regards, Salvatore