CVE-2019-16109 (Medium) detected in devise-4.7.1.gem

[mend-bolt-for-github[bot]]

CVE-2019-16109 - Medium Severity Vulnerability

Vulnerable Library - devise-4.7.1.gem

Flexible authentication solution for Rails with Warden

Library home page: https://rubygems.org/gems/devise-4.7.1.gem

Dependency Hierarchy: - :x: **devise-4.7.1.gem** (Vulnerable Library)

Found in HEAD commit: 22cc91d2fedd7c0e75911191c19ce2e9f80ee2a7

Vulnerability Details

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

Publish Date: 2019-09-08

URL: CVE-2019-16109

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16109

Release Date: 2019-09-08

Fix Resolution: v4.7.1

---

Step up your Open Source Security Game with WhiteSource here

[vicvega]

Devise version 4.7.1 is fixed!

See http://blog.plataformatec.com.br/2019/09/improve-confirmation-token-validation-in-devise-cve-2019-xxxx/