Investigate if CVE-2024-0227 is relevant #1285
Comments
|
Thanks for the heads up, @ros-cr! |
|
@ros-cr for next time, security advisories should generally be handled following the "Security" tab. https://github.com/bullet-train-co/bullet_train/security Opening public issues for possible security issues is generally not a good idea unless you've followed the appropriate steps of attempting to notify privately and have waited generally, 90 days for a response. |
|
We did follow coordinated security guidelines to report the 2FA bypass vulnerability to the I think you can see how the burden of reliably assessing and confidentially reporting library vulnerability related impact to many potentially affected dependent projects quickly becomes unmanageable. Similarly, I think you'll agree that once a security issue in a code dependency of an open source project has been published, it makes a lot less sense to handle it at the same confidentiality level as the original disclosure. #1285 is a post-disclosure courtesy for your project. We noticed your dependency on An additional note: for future issues, please provide an official email security contact option, instead of exclusively requiring the use of third party services like Twitter or Discord to reach the project confidentially. |
|
@ros-cr makes sense that it's essentially like a dependabot notification 👍 |
I'm a pentester from Radically Open Security.
We recently reported a 2FA bypass vulnerability in the
devise-two-factorlibrary, see the GHSA-chcr-x7hc-8fp8 advisory and my writeup.Since
Bullet Trainuses thedevise-two-factorlibrary for 2FA authentication, we recommend looking into this as a potential security problem you could be affected by. Please note that we have not further analyzed your project code.Relevant gem definition:
bullet_train/Gemfile
Line 140 in cd59fff
The text was updated successfully, but these errors were encountered: