Moderate severityNVD Advisory· Published Sep 17, 2024· Updated Sep 20, 2024
Insufficient Default OTP Shared Secret Length
CVE-2024-8796
Description
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devise-two-factorRubyGems | >= 4.0.0, < 6.0.0 | 6.0.0 |
Affected products
30- osv-coords29 versionspkg:apk/chainguard/gitlab-rails-ce-assets-18.1pkg:apk/chainguard/gitlab-rails-ce-assets-18.2pkg:apk/chainguard/gitlab-rails-ce-assets-18.3pkg:apk/chainguard/gitlab-rails-ce-assets-18.4pkg:apk/chainguard/gitlab-rails-ce-assets-18.5pkg:apk/chainguard/gitlab-rails-ce-assets-18.6pkg:apk/chainguard/gitlab-rails-ce-assets-18.7pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.2pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.4pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-assets-fips-18.7pkg:apk/chainguard/gitlab-rails-ce-doc-18.1pkg:apk/chainguard/gitlab-rails-ce-doc-18.2pkg:apk/chainguard/gitlab-rails-ce-doc-18.3pkg:apk/chainguard/gitlab-rails-ce-doc-18.4pkg:apk/chainguard/gitlab-rails-ce-doc-18.5pkg:apk/chainguard/gitlab-rails-ce-doc-18.6pkg:apk/chainguard/gitlab-rails-ce-doc-18.7pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.1pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.2pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.4pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.5pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-doc-fips-18.7pkg:gem/devise-two-factor
< 18.1.6-r1+ 28 more
- (no CPE)range: < 18.1.6-r1
- (no CPE)range: < 18.2.8-r1
- (no CPE)range: < 18.3.5-r0
- (no CPE)range: < 18.4.3-r0
- (no CPE)range: < 18.5.1-r0
- (no CPE)range: < 18.6.1-r1
- (no CPE)range: < 18.7.0-r0
- (no CPE)range: < 18.1.6-r2
- (no CPE)range: < 18.2.8-r2
- (no CPE)range: < 18.3.5-r2
- (no CPE)range: < 18.4.3-r3
- (no CPE)range: < 18.5.1-r2
- (no CPE)range: < 18.6.1-r2
- (no CPE)range: < 18.7.0-r0
- (no CPE)range: < 18.1.6-r1
- (no CPE)range: < 18.2.8-r1
- (no CPE)range: < 18.3.5-r0
- (no CPE)range: < 18.4.3-r0
- (no CPE)range: < 18.5.1-r0
- (no CPE)range: < 18.6.2-r0
- (no CPE)range: < 18.7.0-r0
- (no CPE)range: < 18.1.6-r2
- (no CPE)range: < 18.2.8-r2
- (no CPE)range: < 18.3.5-r2
- (no CPE)range: < 18.4.3-r3
- (no CPE)range: < 18.5.1-r2
- (no CPE)range: < 18.6.1-r2
- (no CPE)range: < 18.7.0-r0
- (no CPE)range: >= 4.0.0, < 6.0.0
- devise-two-factor/devise-two-factorv5Range: 4.0.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-qjxf-mc72-wjr2ghsaADVISORY
- github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-8796ghsaADVISORY
- github.com/devise-two-factor/devise-two-factor/commit/cc6f34423d9c6af9f3e02be478c3c40dc7462e19ghsaWEB
News mentions
0No linked articles in our index yet.