CVE-2013-0233: Incorrect Type Cast
First published: Thu Apr 25 2013(Updated: )
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/devise | >=1.5.0<1.5.4 | 1.5.4 |
| rubygems/devise | >=2.0.0<2.0.5 | 2.0.5 |
| rubygems/devise | >=2.1.0<2.1.3 | 2.1.3 |
| rubygems/devise | >=2.2.0<2.2.3 | 2.2.3 |
| Devise | =1.5.0 | |
| Devise | =1.5.1 | |
| Devise | =1.5.2 | |
| Devise | =1.5.3 | |
| Devise | =2.0.0 | |
| Devise | =2.0.1 | |
| Devise | =2.0.2 | |
| Devise | =2.0.3 | |
| Devise | =2.0.4 | |
| Devise | =2.1.0 | |
| Devise | =2.1.1 | |
| Devise | =2.1.2 | |
| Devise | =2.2.0 | |
| Devise | =2.2.1 | |
| Devise | =2.2.2 | |
| Ruby | ||
| SUSE Linux | =12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2013-0233
- https://github.com/Snorby/snorby/issues/261
- http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
- http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset
- http://www.openwall.com/lists/oss-security/2013/01/29/3
- https://web.archive.org/web/20140726005251/http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
- https://web.archive.org/web/20200229103406/http://www.securityfocus.com/bid/57577
- https://github.com/advisories/GHSA-jxhw-mg8m-2pj8 (Advisory)
- http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
- http://www.securityfocus.com/bid/57577
Frequently Asked Questions
What is the severity of CVE-2013-0233?
CVE-2013-0233 is considered a moderate severity vulnerability due to its potential to cause incorrect query results and bypass security checks.
How do I fix CVE-2013-0233?
To fix CVE-2013-0233, update the Devise gem to version 1.5.4, 2.0.5, 2.1.3, or 2.2.3.
What systems are affected by CVE-2013-0233?
CVE-2013-0233 affects Devise versions prior to 2.2.3, 2.1.3, 2.0.5, and 1.5.4, particularly when using certain databases.
Is my installation vulnerable if I use Devise version 2.2.3 or later?
If you are using Devise version 2.2.3 or later, your installation is not vulnerable to CVE-2013-0233.
What can attackers exploit in CVE-2013-0233?
Attackers can exploit CVE-2013-0233 to manipulate database queries, causing incorrect results and potentially bypassing authentication checks.
- collector/github-advisory-latest
- alias/GHSA-jxhw-mg8m-2pj8
- alias/CVE-2013-0233
- collector/github-advisory
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/rubygems
- vendor/plataformatec
- canonical/devise
- version/devise/1.5.0
- version/devise/1.5.1
- version/devise/1.5.2
- version/devise/1.5.3
- version/devise/2.0.0
- version/devise/2.0.1
- version/devise/2.0.2
- version/devise/2.0.3
- version/devise/2.0.4
- version/devise/2.1.0
- version/devise/2.1.1
- version/devise/2.1.2
- version/devise/2.2.0
- version/devise/2.2.1
- version/devise/2.2.2
- vendor/ruby-lang
- canonical/ruby
- vendor/opensuse
- canonical/suse linux
- version/suse linux/12.2