Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/devise@2.2.5

Type gem

Namespace

Name devise

Version 2.2.5

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 3.0.1

Latest_non_vulnerable_version 4.6.0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-xf84-71ey-ckcs

vulnerability_id VCID-xf84-71ey-ckcs

summary Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made.

references

reference_url	http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
reference_id
reference_type
scores
url	http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/

reference_url	http://homakov.blogspot.com.es/2013/06/cookie-forcing-protection-made-easy.html
reference_id
reference_type
scores
url	http://homakov.blogspot.com.es/2013/06/cookie-forcing-protection-made-easy.html

fixed_packages

url	pkg:gem/devise@2.2.5
purl	pkg:gem/devise@2.2.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/devise@2.2.5

url	pkg:gem/devise@3.0.1
purl	pkg:gem/devise@3.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/devise@3.0.1

aliases OSVDB-114435

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xf84-71ey-ckcs

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/devise@2.2.5

Package Instance