Devise does not properly perform type conversion when performing database queries

GHSA-jxhw-mg8m-2pj8 · CVE-2013-0233

Published Oct 24, 2017 · Modified Dec 3, 2024

Description

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2013-0233
WEB https://github.com/Snorby/snorby/issues/261
WEB https://web.archive.org/web/20140726005251/http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
WEB https://web.archive.org/web/20200229103406/http://www.securityfocus.com/bid/57577
WEB http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released
WEB http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
WEB http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset
WEB http://www.openwall.com/lists/oss-security/2013/01/29/3

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes