-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate if CVE-2024-0227 is relevant #1285
Comments
Thanks for the heads up, @ros-cr! |
@ros-cr for next time, security advisories should generally be handled following the "Security" tab. https://github.com/bullet-train-co/bullet_train/security Opening public issues for possible security issues is generally not a good idea unless you've followed the appropriate steps of attempting to notify privately and have waited generally, 90 days for a response. |
We did follow coordinated security guidelines to report the 2FA bypass vulnerability to the I think you can see how the burden of reliably assessing and confidentially reporting library vulnerability related impact to many potentially affected dependent projects quickly becomes unmanageable. Similarly, I think you'll agree that once a security issue in a code dependency of an open source project has been published, it makes a lot less sense to handle it at the same confidentiality level as the original disclosure. #1285 is a post-disclosure courtesy for your project. We noticed your dependency on An additional note: for future issues, please provide an official email security contact option, instead of exclusively requiring the use of third party services like Twitter or Discord to reach the project confidentially. |
@ros-cr makes sense that it's essentially like a dependabot notification 👍 |
I'm a pentester from Radically Open Security.
We recently reported a 2FA bypass vulnerability in the
devise-two-factor
library, see the GHSA-chcr-x7hc-8fp8 advisory and my writeup.Since
Bullet Train
uses thedevise-two-factor
library for 2FA authentication, we recommend looking into this as a potential security problem you could be affected by. Please note that we have not further analyzed your project code.Relevant gem definition:
bullet_train/Gemfile
Line 140 in cd59fff
The text was updated successfully, but these errors were encountered: