CVE-2013-0233 Information

Description

Devise gem 2.2.x before 2.2.3 2.1.x before 2.1.3 2.0.x before 2.0.5 and 1.5.x before 1.5.4 for Ruby when using certain databases does not properly perform type conversion when performing database queries which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors as demonstrated by resetting passwords of arbitrary accounts.

Reference

http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/ http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset http://www.openwall.com/lists/oss-security/2013/01/29/3 http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html http://www.securityfocus.com/bid/57577 https://github.com/Snorby/snorby/issues/261