Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-2506
Vulnerability from gsd - Updated: 2013-02-21 00:00Details
Spree contains a flaw that leads to unauthorized privileges being gained. The
issue is triggered as certain input related to mass role assignment in
app/models/spree/user.rb is not properly verified before being used to update
a user. This may allow a remote attacker to assign arbitrary roles and gain
elevated administrative privileges.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-2506",
"description": "app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.",
"id": "GSD-2013-2506"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree",
"purl": "pkg:gem/spree"
}
}
],
"aliases": [
"CVE-2013-2506",
"OSVDB-90865"
],
"details": "Spree contains a flaw that leads to unauthorized privileges being gained. The\nissue is triggered as certain input related to mass role assignment in\napp/models/spree/user.rb is not properly verified before being used to update\na user. This may allow a remote attacker to assign arbitrary roles and gain\nelevated administrative privileges.\n",
"id": "GSD-2013-2506",
"modified": "2013-02-21T00:00:00.000Z",
"published": "2013-02-21T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.0,
"type": "CVSS_V2"
}
],
"summary": "Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege\nEscalation\n"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-2506",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
{
"name": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65",
"refsource": "CONFIRM",
"url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-2506",
"cvss_v2": 4.0,
"date": "2013-02-21",
"description": "Spree contains a flaw that leads to unauthorized privileges being gained. The\nissue is triggered as certain input related to mass role assignment in\napp/models/spree/user.rb is not properly verified before being used to update\na user. This may allow a remote attacker to assign arbitrary roles and gain\nelevated administrative privileges.\n",
"gem": "spree_auth_devise",
"osvdb": 90865,
"patched_versions": [
"~\u003e 1.1.6",
"~\u003e 1.2.0",
"\u003e= 1.3.0"
],
"title": "Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation",
"url": "https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2013-03-18",
"description": "app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.",
"fixed_versions": [
"3.0.5"
],
"identifier": "CVE-2013-2506",
"identifiers": [
"CVE-2013-2506"
],
"not_impacted": "All versions after 1.3.2",
"package_slug": "gem/spree",
"pubdate": "2013-03-08",
"solution": "Upgrade to version 3.0.5 or above.",
"title": "Permissions, Privileges, and Access Controls",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-2506",
"https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65",
"http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
],
"uuid": "a75ad893-174f-4ace-a703-96ab33dc29f6"
},
{
"affected_range": "\u003c=1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2013-03-18",
"description": "app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.",
"fixed_versions": [
"3.0.5"
],
"identifier": "CVE-2013-2506",
"identifiers": [
"CVE-2013-2506"
],
"not_impacted": "All versions starting from 1.3.2",
"package_slug": "gem/spree_auth",
"pubdate": "2013-03-08",
"solution": "Upgrade to version 3.0.5 or above.",
"title": "Permissions, Privileges, and Access Controls",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-2506",
"https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65",
"http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
],
"uuid": "73043553-e3f8-4076-86e8-e40e4e82dbd4"
},
{
"affected_range": "\u003c=1.3.2",
"affected_versions": "All versions before 1.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2013-03-18",
"description": "app/models/spree/user.rb in spree_auth_devise in Spree does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves.",
"fixed_versions": [
"3.0.5"
],
"identifier": "CVE-2013-2506",
"identifiers": [
"CVE-2013-2506"
],
"not_impacted": "All versions after 1.3.2",
"package_slug": "gem/spree_auth_devise",
"pubdate": "2013-03-08",
"solution": "Upgrade to version 3.0.5 or above.",
"title": "Permissions, Privileges, and Access Controls",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2013-2506",
"https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65",
"http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
],
"uuid": "aabc7d92-3975-4207-83f2-067404506a7d"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-2506"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "app/models/spree/user.rb in spree_auth_devise in Spree 1.1.x before 1.1.6, 1.2.x, and 1.3.x does not perform mass assignment safely when updating a user, which allows remote authenticated users to assign arbitrary roles to themselves."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65",
"refsource": "MISC",
"tags": [],
"url": "https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65"
},
{
"name": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-03-18T04:00Z",
"publishedDate": "2013-03-08T18:55Z"
}
}
}