Vulnerability Description
An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plataformatec | Devise | < 4.7.1 |
References
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1Third Party Advisory
- https://github.com/plataformatec/devise/issues/5071Third Party Advisory
- https://github.com/plataformatec/devise/pull/5132PatchThird Party Advisory
- https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1Third Party Advisory
- https://github.com/plataformatec/devise/issues/5071Third Party Advisory
- https://github.com/plataformatec/devise/pull/5132PatchThird Party Advisory
FAQ
What is CVE-2019-16109?
CVE-2019-16109 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_...
How severe is CVE-2019-16109?
CVE-2019-16109 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-16109?
Check the references section above for vendor advisories and patch information. Affected products include: Plataformatec Devise.