Fluid Attacks Database

Description

spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	spree_auth_devise	>=1.0.0 <3.0.5	3.0.5
rubygems	spree_auth	>=0 <=1.3.2	3.0.5
rubygems	spree	>=0 <=1.3.2	3.0.5

Aliases

1. CVE-2013-25062. NVD-2013-25063. OSV-2013-25064. GCVE-2013-2506

References

1. https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f652. https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d3. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth/CVE-2013-2506.yml4. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2013-2506.yml5. https://web.archive.org/web/20131207040639/https://rubygems.org/gems/spree_auth_devise/versions6. https://web.archive.org/web/20160331131233/https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed7. http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.