CVE-2013-2506: spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles
4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.39129%
CWE
-
Published
5/17/2022
Updated
7/3/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:S/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
spree_auth_devise | rubygems | >= 1.0.0, < 3.0.5 | 3.0.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the User model's unsafe mass assignment configuration. The GitHub patch shows :spree_role_ids was explicitly removed from attr_accessible in app/models/spree/user.rb. Before the fix, this attribute whitelisting allowed arbitrary role assignment via user input. The commit message 'Remove Mass Assignment of Role IDs' and added controller logic to handle role assignment separately confirm the root cause was mass assignment via this model's attr_accessible declaration.