5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43177

GHSA ID

GHSA-jm35-h8q2-73mp

EPSS Score

0.3939%

CWE

Published

4/7/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43177

CVE-2021-43177:
Improper one time password handling in devise-two-factor

Impact

As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval.

Patches

This vulnerability has been patched in version 4.0.2 which was released on March 24th, 2022. Individuals using this package are strongly encouraged to upgrade as soon as possible.

Credit for discovery

Benoit Côté-Jodoin Michael Nipper - https://github.com/tinfoil/devise-two-factor/issues/106

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43177

GHSA ID

GHSA-jm35-h8q2-73mp

EPSS Score

0.3939%

CWE

Published

4/7/2022

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
devise-two-factor	rubygems	< 4.0.2	4.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper OTP handling where a code could be reused in the next interval. This typically occurs in the OTP validation/consumption logic. The function responsible for consuming OTPs after validation (like validate_and_consume_otp!) would need to track used intervals properly. The incomplete fix for CVE-2015-7225 suggests the timestamp update mechanism didn't account for trailing intervals, allowing reuse. The high confidence comes from the pattern of TOTP validation vulnerabilities typically residing in this core authentication method.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *s * r*sult o* *n in*ompl*t* *ix *or *V*-****-****, in v*rsions o* **vis*-two-***tor prior to *.*.* it is possi*l* to r*us* * On*-Tim*-P*sswor* (OTP) *or on* (*n* only on*) imm**i*t*ly tr*ilin* int*rv*l. ### P*t***s T*is vuln*r**ility **

Reasoning

T** vuln*r**ility st*ms *rom improp*r OTP **n*lin* w**r* * *o** *oul* ** r*us** in t** n*xt int*rv*l. T*is typi**lly o**urs in t** OTP v*li**tion/*onsumption lo*i*. T** *un*tion r*sponsi*l* *or *onsumin* OTPs **t*r v*li**tion (lik* v*li**t*_*n*_*onsu

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-43177: Improper one time password handling in devise-two-factor

Impact

Patches

Credit for discovery

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-43177:
Improper one time password handling in devise-two-factor

Vulnerability Intelligence
Miggo AI