Описание
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
| Релиз | Статус | Примечание |
|---|---|---|
| devel | DNE | |
| esm-apps/focal | released | 3.1.0-2ubuntu0.1~esm1 |
| esm-apps/jammy | released | 4.0.0-2ubuntu0.1~esm1 |
| esm-apps/noble | not-affected | |
| esm-apps/xenial | needed | |
| focal | ignored | end of standard support, was needed |
| jammy | needed | |
| noble | not-affected | |
| oracular | not-affected | |
| plucky | not-affected |
Показывать по
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & ...
Devise-Two-Factor Authentication Uses Insufficient Default OTP Shared Secret Length
EPSS
5.3 Medium
CVSS3