Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
Metrics
Affected Vendors & Products
References
History
Mon, 30 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Tinfoilsecurity
Tinfoilsecurity devise-two-factor |
|
CPEs | cpe:2.3:a:tinfoilsecurity:devise-two-factor:*:*:*:*:*:*:*:* cpe:2.3:a:tinfoilsecurity:devise-two-factor:1.0.0:*:*:*:*:*:*:* |
|
Vendors & Products |
Tinfoilsecurity
Tinfoilsecurity devise-two-factor |
Wed, 18 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 17 Sep 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes. | |
Title | Insufficient Default OTP Shared Secret Length | |
Weaknesses | CWE-331 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: SNPS
Published: 2024-09-17T17:12:13.468Z
Updated: 2024-09-20T19:43:21.263Z
Reserved: 2024-09-13T16:52:10.095Z
Link: CVE-2024-8796
Vulnrichment
Updated: 2024-09-18T14:00:47.475Z
NVD
Status : Analyzed
Published: 2024-09-17T18:15:05.443
Modified: 2024-09-30T14:10:38.937
Link: CVE-2024-8796
Redhat
No data.