CVE-2024-8796: Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
(updated )
Under the default configuration, Devise-Two-Factor versions 1.0.0 or >= 4.0.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
References
- github.com/advisories/GHSA-qjxf-mc72-wjr2
- github.com/devise-two-factor/devise-two-factor
- github.com/devise-two-factor/devise-two-factor/commit/cc6f34423d9c6af9f3e02be478c3c40dc7462e19
- github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2
- nvd.nist.gov/vuln/detail/CVE-2024-8796
Code Behaviors & Features
Detect and mitigate CVE-2024-8796 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →