Ignore CVE-2024-8796, which does not impact us

2024-11-15 03:15:32 +00:00 · 2024-09-27 14:31:00 +02:00 · 2024-09-27 14:31:00 +02:00 · d2842db18d
parent 346c37df80
commit d2842db18d
1 changed files with 4 additions and 0 deletions
--- a/.bundler-audit.yml
+++ b/.bundler-audit.yml
@ -4,3 +4,7 @@ ignore:
  # We have rate-limits on authentication endpoints in place (including second
  # factor verification) since Mastodon v3.2.0
  - CVE-2024-0227
+  # devise-two-factor advisory about generated secrets being weaker than expected
+  # We call `generate_otp_secret` ourselves with a requested length of 32 characters,
+  # which exceeds the recommended remediation of 26 characters, so we're safe
+  - CVE-2024-8796