Back to search
CVE-2015-7225
Published: Sep 6, 2017
Modified: Aug 6, 2024
PUBLISHED
Description
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.md
x_refsource_CONFIRM
[oss-security] 20150917 Re: CVE Request: TOTP Replay Attack in Ruby library
mailing-list
x_refsource_MLIST
[oss-sercurity] 20150620 CVE Request: MITM & Shoulder-surfing vuln in Ruby OTP/HOTP/TOTP library "ROPT"
mailing-list
x_refsource_MLIST
76789
vdb-entry
x_refsource_BID
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798466
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now