Vulnerability Details : CVE-2015-8314
The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
Products affected by CVE-2015-8314
- cpe:2.3:a:heartcombo:devise:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-8314
0.11%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 44 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-8314
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-8314
-
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-8314
-
https://github.com/heartcombo/devise/commit/c92996646aba2d25b2c3e235fe0c4f1a84b70d24
Store creation timestamp on remember cookies · heartcombo/devise@c929966 · GitHubPatch
-
https://rubysec.com/advisories/CVE-2015-8314/
CVE-2015-8314 (devise): Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie - RubySecThird Party Advisory
-
https://github.com/advisories/GHSA-746g-3gfp-hfhw
Devise Gem for Ruby Unauthorized Access Using "Remember Me" Cookie · CVE-2015-8314 · GitHub Advisory Database · GitHubPatch;Third Party Advisory
Jump to