CVE-2015-8314

HIGH

Devise < 3.5.4 - Cleartext Storage of Sensitive Information in Remember Me Cookies

Title source: llm

Description

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.

References (3)

Core 3

Core References

Patch, Third Party Advisory

https://github.com/advisories/GHSA-746g-3gfp-hfhw

Patch

https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24

Third Party Advisory

https://rubysec.com/advisories/CVE-2015-8314/

Scores

CVSS v3 7.5

EPSS 0.0017

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-312

Status published

Products (2)

heartcombo/devise < 3.5.4

rubygems/devise 0 - 3.5.4RubyGems

Published Dec 12, 2023

Tracked Since Feb 18, 2026