An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
CVE-2019-16109 - Medium Severity Vulnerability
Vulnerable Library - devise-4.7.0.gem
Flexible authentication solution for Rails with Warden
Library home page: https://rubygems.org/gems/devise-4.7.0.gem
Dependency Hierarchy: - :x: **devise-4.7.0.gem** (Vulnerable Library)
Found in HEAD commit: 0cc6845b68c9648d6cc64293d4276d9e63d3123e
Vulnerability Details
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
Publish Date: 2019-09-08
URL: CVE-2019-16109
CVSS 3 Score Details (5.3)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16109
Release Date: 2019-09-08
Fix Resolution: v4.7.1
Step up your Open Source Security Game with WhiteSource here