Home > Vulnerability Database > CVE-2024-8796

Mend.io Vulnerability Database

CVE-2024-8796

Good to know:

Date: September 17, 2024

Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.

Language: Ruby

Severity Score

5.3

Related Resources (6)

Url: https://security-tracker.debian.org/tracker/CVE-2024-8796

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-8796

Url: https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2

Url: https://github.com/devise-two-factor/devise-two-factor

Url: https://github.com/devise-two-factor/devise-two-factor/commit/cc6f34423d9c6af9f3e02be478c3c40dc7462e19

Url: https://www.mend.io/vulnerability-database/CVE-2024-8796

Severity Score

5.3

Weakness Type (CWE)

Insufficient Entropy

CWE-331

Top Fix

Upgrade Version

Upgrade to version devise-two-factor - 6.0.0

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-8796

Good to know:

Date: September 17, 2024

Language: Ruby

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?