Vulnerabilities > Tinfoilsecurity > Devise TWO Factor > 4.0.1

DATE CVE VULNERABILITY TITLE RISK
2024-09-17 CVE-2024-8796 Insufficient Entropy vulnerability in Tinfoilsecurity Devise-Two-Factor
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226.
network
high complexity
tinfoilsecurity CWE-331
5.3
5.3
2022-04-11 CVE-2021-43177 Unspecified vulnerability in Tinfoilsecurity Devise-Two-Factor
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval.
network
high complexity
tinfoilsecurity
5.3
5.3