NVD

Id
36589  
Name
CVE-2013-0233  
Description
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.  
Reject
 
CVSS Version
2  
CVSS Score
6.8  
Severity
Medium  
CVSS Base Score
6.8  
CVSS Impact Subscore
6.4  
CVSS Exploit Subscore
8.6  
CVSS Vector
(AV:N/AC:M/Au:N/C:P/I:P/A:P)  
Pub Date
2017-01-18  
Published
2013-04-25  
Modified Date
2013-05-01  
Seq
2013-0233  

Actions

Related NVD References

Id NVD Id NVD No. Reference Actions
186938 36589 CVE-2013-0233 http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/  View
186939 36589 CVE-2013-0233 openSUSE-SU-2013:0374  View
186940 36589 CVE-2013-0233 http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset  View
186941 36589 CVE-2013-0233 [oss-security] 20130128 Re: CVE request for "devise" ruby gem  View
186942 36589 CVE-2013-0233 http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html  View
186943 36589 CVE-2013-0233 57577  View
186944 36589 CVE-2013-0233 https://github.com/Snorby/snorby/issues/261  View

Related JVN

Id Name Title Summary Cveinfo Name Cveinfo Id Nvdinfo Name Nvdinfo Id Cvssv2 Cvssv3 Jvnurl Published Date Last Updated Date Actions
20907 JVNDB-2013-002482 Ruby 用 Devise gem における不正な結果が返される脆弱性 Ruby 用 Devise gem は、特定のデータベースを使用する場合、データベースクエリ実行時に型変換を適切に行わないため、不正な結果が返される、およびセキュリティチェックを回避される脆弱性が存在します。 CVE-2013-0233 60175 CVE-2013-0233 36589 6.8 http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-002482.html 2013-01-28 2013-04-30 View