RubySec

Providing security resources for the Ruby community

CVE-2013-0233 (devise): Devise Database Type Conversion Crafted Request Parsing Security Bypass

ADVISORIES

GEM

devise

SEVERITY

CVSS v2: 6.8

PATCHED VERSIONS

  • ~> 1.5.4
  • ~> 2.0.5
  • ~> 2.1.3
  • >= 2.2.3

DESCRIPTION

Devise contains a flaw that is triggered during when a type conversion error occurs during the parsing of a malformed request. With a specially crafted request, a remote attacker can bypass security restrictions.