devise

RubyGems4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting devisepage 1 of 1

CVE-2013-0233NONECVSS 0.0EG 0.0✓ Fixed in 1.5.4
2013-04-25
vulnerable: 1.5.0, 1.5.1, 1.5.2, 1.5.3
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote atta…
CVE-2015-8314HIGHCVSS 7.5EG 7.5✓ Fixed in 3.5.4
2023-12-12
vulnerable: 0.1.0 ... 3.5.3 (130 versions)
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
CVE-2019-16109MEDIUMCVSS 5.3EG 5.3✓ Fixed in 4.7.1
2019-09-08
vulnerable: 0.1.0 ... 4.7.0 (157 versions)
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no sce…
CVE-2019-5421CRITICALCVSS 9.8EG 9.8✓ Fixed in 4.6.0
2019-04-03
vulnerable: 0.1.0 ... 4.5.0 (153 versions)
Plataformatec Devise version 4.5.0 and earlier, using the lockable module contains a CWE-367 vulnerability in The `Devise::Models::Lockable` class, more specifically at the `#increment_failed_attempts` method. File location: lib/devise/mod…

Check whether devise is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for devise CVEs against the assets you own.

Start Free Scan →