Miggo Logo

CVE-2013-2506: spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles

4

CVSS Score

Basic Information

EPSS Score
0.39129%
CWE
-
Published
5/17/2022
Updated
7/3/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:N/I:P/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
spree_auth_deviserubygems>= 1.0.0, < 3.0.53.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the User model's unsafe mass assignment configuration. The GitHub patch shows :spree_role_ids was explicitly removed from attr_accessible in app/models/spree/user.rb. Before the fix, this attribute whitelisting allowed arbitrary role assignment via user input. The commit message 'Remove Mass Assignment of Role IDs' and added controller logic to handle role assignment separately confirm the root cause was mass assignment via this model's attr_accessible declaration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`*pp/mo**ls/spr**/us*r.r*` in spr**_*ut*_**vis* in Spr** *.*.x ***or* *.*.*, *.*.x, *n* *.*.x *o*s not p*r*orm m*ss *ssi*nm*nt s***ly w**n up**tin* * us*r, w*i** *llows r*mot* *ut**nti**t** us*rs to *ssi*n *r*itr*ry rol*s to t**ms*lv*s.

Reasoning

T** vuln*r**ility st*ms *rom t** Us*r mo**l's uns*** m*ss *ssi*nm*nt *on*i*ur*tion. T** *it*u* p*t** s*ows :spr**_rol*_i*s w*s *xpli*itly r*mov** *rom *ttr_****ssi*l* in *pp/mo**ls/spr**/us*r.r*. ***or* t** *ix, t*is *ttri*ut* w*it*listin* *llow** *r