Inadequate Login Attempt Throttling in Devise-Two-Factor Allows Brute-Force Bypass of 2FA

Inadequate Login Attempt Throttling in Devise-Two-Factor Allows Brute-Force Bypass of 2FA

CVE-2024-0227 · HIGH Severity

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks.

Learn more about our Cis Benchmark Audit For Server Software.