{"id":"UBUNTU-CVE-2019-16109","details":"An issue was discovered in Plataformatec Devise before 4.7.1. It confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. (However, there is no scenario within Devise itself in which such database records would exist.)","modified":"2026-01-20T16:47:27.802171Z","published":"2019-09-08T20:15:00Z","upstream":["CVE-2019-16109"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-16109"},{"type":"REPORT","url":"https://github.com/plataformatec/devise/compare/v4.7.0...v4.7.1"},{"type":"REPORT","url":"https://github.com/plataformatec/devise/issues/5071"},{"type":"REPORT","url":"https://github.com/plataformatec/devise/pull/5132"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2019-16109"}],"affected":[{"package":{"name":"ruby-devise","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/ruby-devise@3.5.6-2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["3.5.1-1","3.5.2-1","3.5.2-2","3.5.2-3","3.5.6-2"],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-devise","binary_version":"3.5.6-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-16109.json"}},{"package":{"name":"ruby-devise","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/ruby-devise@4.4.3-1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.2.0-1","4.3.0-1","4.4.3-1"],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-devise","binary_version":"4.4.3-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-16109.json"}},{"package":{"name":"ruby-devise","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/ruby-devise@4.7.1-2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.5.0-3","4.6.2-2","4.7.1-2"],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-devise","binary_version":"4.7.1-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-16109.json"}},{"package":{"name":"ruby-devise","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/ruby-devise@4.7.3-2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.7.3-2"],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-devise","binary_version":"4.7.3-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-16109.json"}},{"package":{"name":"ruby-devise","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/ruby-devise@4.9.3-1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.8.1-1","4.9.2-1","4.9.3-1"],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-devise","binary_version":"4.9.3-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-16109.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}