Home > Vulnerability Database > CVE-2013-0233

Mend.io Vulnerability Database

CVE-2013-0233

Good to know:

Date: April 25, 2013

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Language: Ruby

Severity Score

5.6

Related Resources (12)

Url: https://github.com/Snorby/snorby/issues/261

Url: http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html

Url: https://web.archive.org/web/20140726005251/http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html

Url: http://www.securityfocus.com/bid/57577

Url: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/

Url: http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset

Url: http://www.openwall.com/lists/oss-security/2013/01/29/3

Url: https://web.archive.org/web/20200229103406/http://www.securityfocus.com/bid/57577

Url: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released

Url: http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2013-0233

Url: https://www.mend.io/vulnerability-database/CVE-2013-0233

Severity Score

5.6

Weakness Type (CWE)

Incorrect Type Conversion or Cast

CWE-704

Resource Management Errors

CWE-399

Top Fix

Upgrade Version

Upgrade to version 2.2.3,2.1.3,2.0.5,1.5.4

Learn More

CVSS v3.1

Base Score:	5.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2013-0233

Good to know:

Date: April 25, 2013

Language: Ruby

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?