Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Insufficient Default OTP Shared Secret Length
Vulnerability Description
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
信息熵不充分
Vulnerability Title
Devise-Two-Factor 安全漏洞
Vulnerability Description
Devise-Two-Factor是Devise-Two-Factor开源的一个 Devise 的极简扩展。用于通过 TOTP 方案提供对双因素身份验证的支持。 Devise-Two-Factor 2.2.0及之前版本和6.0.0之前版本存在安全漏洞,该漏洞源于生成的TOTP共享密钥长度不足,可能使攻击者更容易生成有效的TOTP代码。
CVSS Information
N/A
Vulnerability Type
N/A