RubySec

Providing security resources for the Ruby community

CVE-2013-2506 (spree_auth_devise): Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation

ADVISORIES

GEM

spree_auth_devise

SEVERITY

CVSS v2: 4.0 (Medium)

PATCHED VERSIONS

  • ~> 1.1.6
  • ~> 1.2.0
  • >= 1.3.0

DESCRIPTION

Spree contains a flaw that leads to unauthorized privileges being gained. The issue is triggered as certain input related to mass role assignment in app/models/spree/user.rb is not properly verified before being used to update a user. This may allow a remote attacker to assign arbitrary roles and gain elevated administrative privileges.