CVE-2013-0233

2013-04-2523:55:01

Debian Security Bug Tracker

security-tracker.debian.org

devise gem

vulnerability

ruby

type conversion

database query

security checks

resetting passwords

unix

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.098

Percentile

94.9%

JSON

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

OSVersionArchitecturePackageVersionFilename
Debian12allruby-devise< 3.4.1-1ruby-devise_3.4.1-1_all.deb
Debian11allruby-devise< 3.4.1-1ruby-devise_3.4.1-1_all.deb
Debian999allruby-devise< 3.4.1-1ruby-devise_3.4.1-1_all.deb
Debian13allruby-devise< 3.4.1-1ruby-devise_3.4.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	ruby-devise	< 3.4.1-1	ruby-devise_3.4.1-1_all.deb
Debian	11	all	ruby-devise	< 3.4.1-1	ruby-devise_3.4.1-1_all.deb
Debian	999	all	ruby-devise	< 3.4.1-1	ruby-devise_3.4.1-1_all.deb
Debian	13	all	ruby-devise	< 3.4.1-1	ruby-devise_3.4.1-1_all.deb