Miggo Logo

CVE-2021-43177: Improper one time password handling in devise-two-factor

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.3939%
CWE
-
Published
4/7/2022
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
devise-two-factorrubygems< 4.0.24.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper OTP handling where a code could be reused in the next interval. This typically occurs in the OTP validation/consumption logic. The function responsible for consuming OTPs after validation (like validate_and_consume_otp!) would need to track used intervals properly. The incomplete fix for CVE-2015-7225 suggests the timestamp update mechanism didn't account for trailing intervals, allowing reuse. The high confidence comes from the pattern of TOTP validation vulnerabilities typically residing in this core authentication method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *s * r*sult o* *n in*ompl*t* *ix *or *V*-****-****, in v*rsions o* **vis*-two-***tor prior to *.*.* it is possi*l* to r*us* * On*-Tim*-P*sswor* (OTP) *or on* (*n* only on*) imm**i*t*ly tr*ilin* int*rv*l. ### P*t***s T*is vuln*r**ility **

Reasoning

T** vuln*r**ility st*ms *rom improp*r OTP **n*lin* w**r* * *o** *oul* ** r*us** in t** n*xt int*rv*l. T*is typi**lly o**urs in t** OTP v*li**tion/*onsumption lo*i*. T** *un*tion r*sponsi*l* *or *onsumin* OTPs **t*r v*li**tion (lik* v*li**t*_*n*_*onsu