Resource management error in Opensuse - CVE-2013-0233
Published: April 26, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42868
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Green
CVE-ID: CVE-2013-0233
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: SUSE
Affected software:
Opensuse
Opensuse
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Per http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html "Affected Products: openSUSE 12.2"
How to mitigate CVE-2013-0233
Install update from vendor's website.
Sources
- http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
- http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset
- http://www.openwall.com/lists/oss-security/2013/01/29/3
- http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
- http://www.securityfocus.com/bid/57577
- https://github.com/Snorby/snorby/issues/261