Fluid Attacks Database

Description

Devise does not properly perform type conversion when performing database queries Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	devise	>=2.2.0 <2.2.3 \|\| >=2.1.0 <2.1.3 \|\| >=2.0.0 <2.0.5 \|\| >=1.5.0 <1.5.4	2.2.3, 2.1.3, 2.0.5, 1.5.4
debian 12	ruby-devise	>=0 <3.4.1-1	3.4.1-1
debian 11	ruby-devise	>=0 <3.4.1-1	3.4.1-1

Aliases

1. CVE-2013-02332. NVD-2013-02333. OSV-2013-02334. OSV-DEBIAN-2013-02335. GCVE-2013-02336. SECURITY-TRACKER-CVE-2013-0233

References

1. https://github.com/Snorby/snorby/issues/2612. https://web.archive.org/web/20140726005251/http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html3. https://web.archive.org/web/20200229103406/http://www.securityfocus.com/bid/575774. http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released5. http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html6. http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset7. http://www.openwall.com/lists/oss-security/2013/01/29/3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.