Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes.
Metrics
Affected Vendors & Products
References
History
Wed, 18 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Tue, 17 Sep 2024 17:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-factor authentication code could make it easier for an attacker to guess the shared secret and generate valid TOTP codes. | |
Title | Insufficient Default OTP Shared Secret Length | |
Weaknesses | CWE-331 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: SNPS
Published: 2024-09-17T17:12:13.468Z
Updated: 2024-09-18T14:00:50.568Z
Reserved: 2024-09-13T16:52:10.095Z
Link: CVE-2024-8796
Vulnrichment
Updated: 2024-09-18T14:00:47.475Z
NVD
Status : Received
Published: 2024-09-17T18:15:05.443
Modified: 2024-09-17T18:15:05.443
Link: CVE-2024-8796
Redhat
No data.