GHSA-jxhw-mg8m-2pj8

Source

https://github.com/advisories/GHSA-jxhw-mg8m-2pj8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jxhw-mg8m-2pj8/GHSA-jxhw-mg8m-2pj8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jxhw-mg8m-2pj8

Aliases

CVE-2013-0233

Published

2017-10-24T18:33:37Z

Modified

2024-12-03T06:09:05.521253Z

Summary

Devise does not properly perform type conversion when performing database queries

Details

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-704"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:44:21Z"
}

References

Affected packages

RubyGems / devise

Package

Name: devise
Purl: pkg:gem/devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.3

Affected versions

2.*

2.2.0

2.2.1

2.2.2

RubyGems / devise

Package

Name: devise
Purl: pkg:gem/devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.3

Affected versions

2.*

2.1.0

2.1.2

RubyGems / devise

Package

Name: devise
Purl: pkg:gem/devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.0.5

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.4

RubyGems / devise

Package

Name: devise
Purl: pkg:gem/devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.4

Affected versions

1.*

1.5.0

1.5.1

1.5.2

1.5.3