Add CVE-2019-5421 for devise

heartcombo/devise#4981
reedloden · Mar 14, 2019 · 26a5b49 · 26a5b49
1 parent c28d8ae
commit 26a5b49
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/gems/devise/CVE-2019-5421.yml b/gems/devise/CVE-2019-5421.yml
@@ -0,0 +1,13 @@
+---
+gem: devise
+cve: 2019-5421
+url: https://github.com/plataformatec/devise/issues/4981
+title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
+date: 2019-02-07
+description: |
+  Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a
+  time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts`
+  within the `Devise::Models::Lockable` class not being concurrency safe.
+
+patched_versions:
+  - ">= 4.6.0"