An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
CVE-2019-16109 - Medium Severity Vulnerability
Vulnerable Library - devise-4.7.1.gem
Flexible authentication solution for Rails with Warden
Library home page: https://rubygems.org/gems/devise-4.7.1.gem
Dependency Hierarchy: - :x: **devise-4.7.1.gem** (Vulnerable Library)
Found in HEAD commit: 22cc91d2fedd7c0e75911191c19ce2e9f80ee2a7
Vulnerability Details
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
Publish Date: 2019-09-08
URL: CVE-2019-16109
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16109
Release Date: 2019-09-08
Fix Resolution: v4.7.1
Step up your Open Source Security Game with WhiteSource here