CVE-2013-0233
Plataformatec Devise < 2.2.3 - Resource Management Error
Title source: ruleDescription
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.
Exploits (1)
metasploit
WORKING POC
by joernchen, jjarmoc · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/rails_devise_pass_reset.rb
References (7)
Scores
EPSS
0.6882
EPSS Percentile
98.6%
Details
CWE
CWE-399
Status
published
Products (17)
opensuse/opensuse
12.2
plataformatec/devise
1.5.0
plataformatec/devise
1.5.1
plataformatec/devise
1.5.2
plataformatec/devise
1.5.3
plataformatec/devise
2.0.0
plataformatec/devise
2.0.1
plataformatec/devise
2.0.2
plataformatec/devise
2.0.3
plataformatec/devise
2.0.4
... and 7 more
Published
Apr 25, 2013
Tracked Since
Feb 18, 2026