CVE-2021-43177: Improper one time password handling in devise-two-factor
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.3939%
CWE
-
Published
4/7/2022
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
devise-two-factor | rubygems | < 4.0.2 | 4.0.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper OTP handling where a code could be reused in the next interval. This typically occurs in the OTP validation/consumption logic. The function responsible for consuming OTPs after validation (like validate_and_consume_otp!) would need to track used intervals properly. The incomplete fix for CVE-2015-7225 suggests the timestamp update mechanism didn't account for trailing intervals, allowing reuse. The high confidence comes from the pattern of TOTP validation vulnerabilities typically residing in this core authentication method.