Vulnerabilities > CVE-2013-0233 - Resource Management Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Per http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html "Affected Products: openSUSE 12.2"
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Metasploit
| description | The Devise authentication gem for Ruby on Rails is vulnerable to a password reset exploit leveraging type confusion. By submitting XML to rails, we can influence the type used for the reset_password_token parameter. This allows for resetting passwords of arbitrary accounts, knowing only the associated email address. This module defaults to the most common devise URIs and response values, but these may require adjustment for implementations which customize them. Affects Devise < v2.2.3, 2.1.3, 2.0.5 and 1.5.4 when backed by any database except PostgreSQL or SQLite3. Tested with v2.2.2, 2.1.2, and 2.0.4 on Rails 3.2.11. Patch applied to Rails 3.2.12 and 3.1.11 should prevent exploitation of this vulnerability, by quoting numeric values when comparing them with non numeric values. |
| id | MSF:AUXILIARY/ADMIN/HTTP/RAILS_DEVISE_PASS_RESET |
| last seen | 2020-05-29 |
| modified | 2019-10-05 |
| published | 2013-02-11 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/rails_devise_pass_reset.rb |
| title | Ruby on Rails Devise Authentication Password Reset |
Nessus
| NASL family | SuSE Local Security Checks |
| NASL id | OPENSUSE-2013-166.NASL |
| description | rubygem-devise was updated to version 1.5.4 fixing bugs and security issue : - wrong records may be read when sending specifically crafted requests (bnc#800955) (CVE-2013-0233) |
| last seen | 2020-06-05 |
| modified | 2014-06-13 |
| plugin id | 74908 |
| published | 2014-06-13 |
| reporter | This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
| source | https://www.tenable.com/plugins/nessus/74908 |
| title | openSUSE Security Update : rubygem-devise (openSUSE-SU-2013:0374-1) |
References
- http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
- http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset
- http://www.openwall.com/lists/oss-security/2013/01/29/3
- http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
- http://www.securityfocus.com/bid/57577
- https://github.com/Snorby/snorby/issues/261