CVE-2015-8314
published 2023-12-12CVE-2015-8314: The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application…
PriorityP337high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.62%
45.1th percentile
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-devise | < ruby-devise 3.5.6-2 (bookworm) | ruby-devise 3.5.6-2 (bookworm) |
| heartcombo | devise | < 3.5.4 | 3.5.4 |
| plataformatec | devise | >= 0 < 3.5.4 | 3.5.4 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2015-8314: The Devise gem before 3
osv·2023-12-12·CVSS 7.5
CVE-2015-8314 [HIGH] CVE-2015-8314: The Devise gem before 3
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
GHSA
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
ghsa·2023-01-26
CVE-2015-8314 [HIGH] CWE-288 Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
OSV
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
osv·2023-01-26
CVE-2015-8314 [HIGH] Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie
Devise version before 3.5.4 uses cookies to implement a "Remember me" functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
Debian
CVE-2015-8314: ruby-devise - The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions...
vendor_debian·2015·CVSS 7.5
CVE-2015-8314 [HIGH] CVE-2015-8314: ruby-devise - The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions...
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
Scope: local
bookworm: resolved (fixed in 3.5.6-2)
bullseye: resolved (fixed in 3.5.6-2)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/advisories/GHSA-746g-3gfp-hfhwhttps://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24https://rubysec.com/advisories/CVE-2015-8314/https://github.com/advisories/GHSA-746g-3gfp-hfhwhttps://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24https://rubysec.com/advisories/CVE-2015-8314/
2023-12-12
Published