Vulnerability Description
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Plataformatec | Devise | 1.5.0 |
| Ruby-Lang | Ruby | All versions |
| Opensuse | Opensuse | 12.2 |
Related Weaknesses (CWE)
References
- http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-Vendor Advisory
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
- http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_resetExploit
- http://www.openwall.com/lists/oss-security/2013/01/29/3
- http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.Exploit
- http://www.securityfocus.com/bid/57577
- https://github.com/Snorby/snorby/issues/261
- http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-Vendor Advisory
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
- http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_resetExploit
- http://www.openwall.com/lists/oss-security/2013/01/29/3
- http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.Exploit
- http://www.securityfocus.com/bid/57577
- https://github.com/Snorby/snorby/issues/261
FAQ
What is CVE-2013-0233?
CVE-2013-0233 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database...
How severe is CVE-2013-0233?
CVE-2013-0233 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-0233?
Check the references section above for vendor advisories and patch information. Affected products include: Plataformatec Devise, Ruby-Lang Ruby, Opensuse Opensuse.