CVE-2015-8314: Unauthorized Access Using remember-me Cookie

January 18, 2016

Devise uses cookies to implement a remember-me functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember-me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely. The bug can only be exploited if the attacker can steal cookies in the first place.

References

blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
gist.github.com/josevalim/924ce7cc4c0e5039fd79

Detect and mitigate CVE-2015-8314 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →