CVE-2019-16109

An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)

Published: Sep 8, 2019
Updated: May 9, 2024
CVE: CVE-2019-16109
GHSA: GHSA-fcjw-8rhj-gwwc
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
plataformatec / devise	-	4.7.1
devise	-	4.7.1

https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1
https://github.com/plataformatec/devise/issues/5071
https://github.com/plataformatec/devise/pull/5132
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise/CVE-2019-16109.yml

Vulnerability Database

290,273

CVE-2019-16109