Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.
References
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
|
History
21 Nov 2024, 01:47
Type | Values Removed | Values Added |
---|---|---|
References | () http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/ - Vendor Advisory | |
References | () http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html - | |
References | () http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset - Exploit | |
References | () http://www.openwall.com/lists/oss-security/2013/01/29/3 - | |
References | () http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html - Exploit | |
References | () http://www.securityfocus.com/bid/57577 - | |
References | () https://github.com/Snorby/snorby/issues/261 - |
Information
Published : 2013-04-25 23:55
Updated : 2024-11-21 01:47
NVD link : CVE-2013-0233
Mitre link : CVE-2013-0233
CVE.ORG link : CVE-2013-0233
JSON object : View
Products Affected
opensuse
- opensuse
plataformatec
- devise
ruby-lang
- ruby
CWE
CWE-399
Resource Management Errors