CVE-2013-0233
Ruby On Rails Devise Authentication Password Reset
Severity Score
6.8
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.
Devise v2.2.x antes de v2.2.3, v2.1.x antes de v2.1.3, v2.0.x antes de v2.0.5, v1.5.x antes de v1.5.4 de Ruby, al utilizar ciertas bases de datos, no funciona correctamente cuando se realiza la conversión de tipos consultas de base de datos, lo que podría permitir a atacantes remotos provocar resultados incorrectos para ser devueltos y eludir los controles de seguridad a través de vectores desconocidos, como lo demuestra restablecer las contraseñas de las cuentas arbitrarias.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-12-06 CVE Reserved
- 2013-04-25 CVE Published
- 2024-09-17 CVE Updated
- 2024-09-17 EPSS Updated
- 2024-09-17 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-399: Resource Management Errors
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2013/01/29/3 | Mailing List |
|
| http://www.securityfocus.com/bid/57577 | Vdb Entry | |
| https://github.com/Snorby/snorby/issues/261 | X_refsource_misc |
| URL | Date | SRC |
|---|---|---|
| http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset | 2024-09-17 | |
| http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html | 2024-09-17 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 1.5.0 Search vendor "Plataformatec" for product "Devise" and version "1.5.0" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 1.5.1 Search vendor "Plataformatec" for product "Devise" and version "1.5.1" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 1.5.2 Search vendor "Plataformatec" for product "Devise" and version "1.5.2" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 1.5.3 Search vendor "Plataformatec" for product "Devise" and version "1.5.3" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.0.0 Search vendor "Plataformatec" for product "Devise" and version "2.0.0" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.0.1 Search vendor "Plataformatec" for product "Devise" and version "2.0.1" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.0.2 Search vendor "Plataformatec" for product "Devise" and version "2.0.2" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.0.3 Search vendor "Plataformatec" for product "Devise" and version "2.0.3" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.0.4 Search vendor "Plataformatec" for product "Devise" and version "2.0.4" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.1.0 Search vendor "Plataformatec" for product "Devise" and version "2.1.0" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.1.1 Search vendor "Plataformatec" for product "Devise" and version "2.1.1" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.1.2 Search vendor "Plataformatec" for product "Devise" and version "2.1.2" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.2.0 Search vendor "Plataformatec" for product "Devise" and version "2.2.0" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.2.1 Search vendor "Plataformatec" for product "Devise" and version "2.2.1" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Plataformatec Search vendor "Plataformatec" | Devise Search vendor "Plataformatec" for product "Devise" | 2.2.2 Search vendor "Plataformatec" for product "Devise" and version "2.2.2" | - |
Affected
| in | Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | * | - |
Safe
|
| Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 12.2 Search vendor "Opensuse" for product "Opensuse" and version "12.2" | - |
Affected
| ||||||