diff --git a/gems/devise-two-factor/CVE-2024-8796.yml b/gems/devise-two-factor/CVE-2024-8796.yml
new file mode 100644
index 0000000000..01272d7cfa
--- /dev/null
+++ b/gems/devise-two-factor/CVE-2024-8796.yml
@@ -0,0 +1,62 @@
+---
+gem: devise-two-factor
+cve: 2024-8796
+ghsa: qjxf-mc72-wjr2
+url: https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2
+title: Devise-Two-Factor Authentication Uses Insufficient Default
+  OTP Shared Secret Length
+date: 2024-09-17
+description: |
+  ### Summary
+  Under the default configuration, Devise-Two-Factor version
+  >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits
+  instead of the 128-bit minimum defined by
+  [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226).
+  Using a shared secret shorter than the minimum to generate a
+  multi-factor authentication code could make it easier for an
+  attacker to guess the shared secret and generate valid TOTP codes.
+
+  ### Remediation
+  Devise-Two-Factor should be upgraded to version v6.0.0 as soon
+  as possible. After upgrading, the length of shared secrets and
+  TOTP URLs generated by the library will increase since the new
+  shared secrets will be longer.
+
+  If upgrading is not possible, you can override the default
+  `otp_secret_length` attribute in the model when configuring
+  `two_factor_authenticable` and set it to a value of at least
+  26 to ensure newly generated shared secrets are at least
+  128-bits long.
+
+  After upgrading or implementing the workaround, applications
+  using Devise-Two-Factor may wish to migrate users to the new
+  OTP length to provide increased protection for those accounts.
+  Turning off OTP for users by setting `otp_required_for_login`
+  to false is not recommended since it would leave accounts
+  unprotected. However, you may wish to implement application
+  logic that checks the length of a user's shared secret and
+  prompts users to re-enroll in OTP.
+
+  ### Background
+  Devise-Two-Factor uses [ROTP](https://github.com/mdp/rotp) to
+  generate shared secrets for TOTP. In ROTP < 5.0.0, the first
+  argument to the "ROTP::Base32#random_base32" function represented
+  the number of bytes to read from SecureRandom which were then
+  returned as a base32-encoded string. In ROTP 5.1.0, this function
+  was changed so that the first argument now represents the length
+  of the base32-encoded string returned by the function instead
+  of the number of bytes to read from SecureRandom resulting in
+  a shorter key being generated for the same input value.
+  (https://github.com/mdp/rotp/commit/c6c24ab894e7c2b1579d45ac82c41454d1e98227).
+cvss_v3: 5.3
+cvss_v4: 6.0
+unaffected_versions:
+  - "< 2.2.0"
+patched_versions:
+  - ">= 6.0.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-8796
+    - https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2
+    - https://github.com/devise-two-factor/devise-two-factor/commit/cc6f34423d9c6af9f3e02be478c3c40dc7462e19
+    - https://github.com/advisories/GHSA-qjxf-mc72-wjr2