Login Sign Up

CVE-2015-8314

7.5 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in the Devise authentication gem for Ruby allows attackers to forge 'Remember Me' cookies, potentially gaining unauthorized persistent access to user accounts. It affects Ruby applications using Devise for authentication with the 'rememberable' module enabled. The issue stems from improper handling of cookie signatures.

💻 Affected Systems

Products:
  • Devise Ruby gem
Versions: All versions before 3.5.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using Devise's 'rememberable' module. Applications without this feature enabled are not vulnerable.

📦 What is this software?

Devise by Heartcombo

View all CVEs affecting Devise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain persistent administrative access to applications, leading to complete system compromise, data theft, and privilege escalation.

🟠

Likely Case

Attackers gain unauthorized access to user accounts, potentially accessing sensitive data and performing actions as legitimate users.

🟢

If Mitigated

With proper session management and monitoring, impact is limited to temporary account access that can be detected and revoked.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to valid user sessions or ability to forge cookies. The vulnerability is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.4 and later

Vendor Advisory: https://github.com/advisories/GHSA-746g-3gfp-hfhw

Restart Required: Yes

Instructions:

1. Update Gemfile to 'gem "devise", ">= 3.5.4"' 2. Run 'bundle update devise' 3. Restart application server 4. Invalidate all existing remember me tokens by resetting secret_key_base

🔧 Temporary Workarounds

Disable Remember Me feature

all

Temporarily disable the rememberable module in Devise configuration

# In config/initializers/devise.rb
# Remove or comment out :rememberable from devise modules

Rotate secret_key_base

all

Change the Rails secret_key_base to invalidate all existing cookies

# In config/secrets.yml
# Change secret_key_base value and restart application

🧯 If You Can't Patch

  • Implement additional session validation and monitoring
  • Deploy WAF rules to detect cookie manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock for devise version: 'grep devise Gemfile.lock' and verify version is < 3.5.4

Check Version:

bundle show devise | grep -o 'devise-[0-9.]*'

Verify Fix Applied:

Confirm devise version is >= 3.5.4 in Gemfile.lock and test remember me functionality

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts with remember me tokens
  • Unusual session durations or locations

Network Indicators:

  • Suspicious cookie manipulation in HTTP requests

SIEM Query:

source="application.log" AND ("remember_me" OR "rememberable") AND ("failed" OR "invalid")

📊 Metadata

CVE ID: CVE-2015-8314
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-312
Published: December 12, 2023
Last Updated: May 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8314, you might also want to check these:

CVE-2022-43757 9.9

CVE-2022-43757 is a cleartext storage vulnerability in SUSE Rancher that allows users on managed clu...

Same vulnerability type (CWE-312)
CVE-2021-29954 9.8

This vulnerability in Hubs Cloud's Reticulum software allowed attackers to use the proxy functionali...

Same vulnerability type (CWE-312)
CVE-2022-26148 9.8

This vulnerability exposes Zabbix account passwords in Grafana's HTML source code when integrated wi...

Same vulnerability type (CWE-312)