cbcvebase.
CVE-2013-0233
published 2013-04-25

CVE-2013-0233: Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform…

PriorityP346medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
14.13%
96.1th percentile
Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Affected

21 ranges
VendorProductVersion rangeFixed in
debianruby-devise< ruby-devise 3.4.1-1 (bookworm)ruby-devise 3.4.1-1 (bookworm)
opensuseopensuse
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise
plataformatecdevise>= 1.5.0 < 1.5.41.5.4
plataformatecdevise>= 2.0.0 < 2.0.52.0.5
plataformatecdevise>= 2.1.0 < 2.1.32.1.3
plataformatecdevise>= 2.2.0 < 2.2.32.2.3

Detection & IOCsextracted from sources · hover to see the quote

commandXML submission to influence reset_password_token parameter type
  • Monitor HTTP requests submitting XML content-type bodies to password reset endpoints, particularly those targeting the reset_password_token parameter — this is the core exploitation vector for type confusion.
  • Alert on password reset requests where the reset_password_token value is not a standard string/token format (e.g., numeric or structured XML node), indicating attempted type confusion abuse.
  • Flag use of the Metasploit module auxiliary/admin/http/rails_devise_pass_reset against Devise-backed Rails applications as active exploitation of CVE-2013-0233.
  • ·Exploitation only affects non-PostgreSQL and non-SQLite3 database backends; PostgreSQL and SQLite3 are not vulnerable due to stricter type handling.
  • ·The Metasploit module targets common Devise URI patterns by default but may need tuning for customized implementations, meaning detection rules based on default URIs may miss customized deployments.
  • ·Rails 3.2.12 and 3.1.11 patches mitigate exploitation at the framework level; environments running patched Rails versions are protected even if Devise itself is not updated.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.