CVE-2024-8796

MEDIUM

Devise-Two-Factor >=2.2.0 <6.0.0 - Info Disclosure

Title source: llm

Description

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

References (1)

[Mitigation, Vendor Advisory] https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2

Scores

CVSS v3 5.3

EPSS 0.0024

EPSS Percentile 47.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-331

Status published

Products (3)

rubygems/devise-two-factor 4.0.0 - 6.0.0RubyGems

tinfoilsecurity/devise-two-factor 1.0.0

tinfoilsecurity/devise-two-factor 4.0.0 - 6.0.0

Published Sep 17, 2024

Tracked Since Feb 18, 2026