Vulnerability Name: | CVE-2013-0233 (CCN-81572) | ||||||||
Assigned: | 2012-12-06 | ||||||||
Published: | 2013-01-28 | ||||||||
Updated: | 2018-10-30 | ||||||||
Summary: | Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Per http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html "Affected Products: openSUSE 12.2" | ||||||||
CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
CVSS v2 Severity: | 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P) 5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-399 | ||||||||
Vulnerability Consequences: | Bypass Security | ||||||||
References: | Source: CCN Type: plataformatec Web site Security announcement: Devise v2.2.3, v2.1.3, v2.0.5 and v1.5.4 released Source: CONFIRM Type: Vendor Advisory http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/ Source: MITRE Type: CNA CVE-2013-0233 Source: SUSE Type: UNKNOWN openSUSE-SU-2013:0374 Source: CCN Type: RubyGems Web site Devise Source: CCN Type: seclists Web site Re: CVE request for 'devise' ruby gem Source: CCN Type: SA51916 Devise Type Conversion Security Bypass Vulnerability Source: MISC Type: Exploit http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset Source: MLIST Type: UNKNOWN [oss-security] 20130128 Re: CVE request for 'devise' ruby gem Source: MISC Type: Exploit http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html Source: BID Type: UNKNOWN 57577 Source: CCN Type: BID-57577 Devise CVE-2013-0233 Security Bypass Vulnerability Source: XF Type: UNKNOWN devise-security-bypass(81572) Source: MISC Type: UNKNOWN https://github.com/Snorby/snorby/issues/261 | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration 2: ![]() | ||||||||
Oval Definitions | |||||||||
| |||||||||
BACK |