Headline
GHSA-746g-3gfp-hfhw: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
Devise version before 3.5.4 uses cookies to implement a “Remember me” functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.
Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
Moderate severity GitHub Reviewed Published Jan 26, 2023 to the GitHub Advisory Database • Updated Jan 26, 2023