Inadequate Login Attempt Throttling in Devise-Two-Factor Allows Brute-Force Bypass of 2FA
CVE-2024-0227 · HIGH Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Devise-Two-Factor does not throttle or otherwise restrict login attempts at the server by default. When combined with the Time-based One Time Password algorithm's (TOTP) inherent entropy limitations, it's possible for an attacker to bypass the 2FA mechanism through brute-force attacks.
Learn more about our Cis Benchmark Audit For Server Software.