Add CVE-2019-5421 for devise (#375)

reedloden · web-flow · commit 65721158d7a4 · 2019-03-14T12:41:26.000-07:00
heartcombo/devise#4981
diff --git a/gems/devise/CVE-2019-5421.yml b/gems/devise/CVE-2019-5421.yml
@@ -0,0 +1,13 @@
+---
+gem: devise
+cve: 2019-5421
+url: https://github.com/plataformatec/devise/issues/4981
+title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
+date: 2019-02-07
+description: |
+  Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a
+  time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts`
+  within the `Devise::Models::Lockable` class not being concurrency safe.
+
+patched_versions:
+  - ">= 4.6.0"
