Is spree_auth_devise affected by CVE-2013-2506?

RubyGems spree_auth_devise is affected in >=1.0.0 <3.0.5.

Is CVE-2013-2506 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 1.3%.

medium

CVE-2013-2506

Q: Is CVE-2013-2506 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 1.3%.

RubyGems · spree_auth_devise

Summary

spree_auth_devise allows remote authenticated users to assign themselves arbitrary roles

Severity: medium
EPSS: 1.3% (p66)
Also known as: GHSA-jp57-9j37-5476
Published: 2022-05-17

References

https://nvd.nist.gov/vuln/detail/CVE-2013-2506
https://github.com/spree/spree_auth_devise/commit/038d74771d3b5c13d13b738b73dfda1033a99f65
https://github.com/spree/spree_auth_devise/commit/fda3ab9fb536c64fe18a9b78bb21c6176b3ea24d

Related advisories

CVE-2021-41275 — critical · RubyGems/spree_auth_devise

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.