CVE-2013-0233 - Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ru

CVE-2013-0233

Summary

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Per http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html "Affected Products: openSUSE 12.2"

References

Vulnerable Configurations

cpe:2.3:a:plataformatec:devise:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:1.5.3:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:plataformatec:devise:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 30-10-2018 - 16:27)
Impact:
Exploitability:

CWE

CWE-399

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bid	57577
confirm	http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
misc	http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html https://github.com/Snorby/snorby/issues/261
mlist	[oss-security] 20130128 Re: CVE request for 'devise' ruby gem
suse	openSUSE-SU-2013:0374

Last major update

30-10-2018 - 16:27

Published

25-04-2013 - 23:55

Last modified

30-10-2018 - 16:27