#VU42868 Resource management error in Opensuse - CVE-2013-0233
Published: April 26, 2013 / Updated: August 11, 2020
Vulnerability identifier: #VU42868
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Green
CVE-ID: CVE-2013-0233
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Opensuse
Opensuse
Software vendor:
SUSE
SUSE
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Per http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html "Affected Products: openSUSE 12.2"
Remediation
Install update from vendor's website.
External links
- http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00000.html
- http://www.metasploit.com/modules/auxiliary/admin/http/rails_devise_pass_reset
- http://www.openwall.com/lists/oss-security/2013/01/29/3
- http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/index.html
- http://www.securityfocus.com/bid/57577
- https://github.com/Snorby/snorby/issues/261