{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the \"back\" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-07T20:32:18", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/oivoodoo/devise_masquerade/issues/83"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2021-28680", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the \"back\" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/", "refsource": "MISC", "url": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/"}, {"name": "https://github.com/oivoodoo/devise_masquerade/issues/83", "refsource": "MISC", "url": "https://github.com/oivoodoo/devise_masquerade/issues/83"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:47:33.085Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/oivoodoo/devise_masquerade/issues/83"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28680", "datePublished": "2021-12-07T20:32:18", "dateReserved": "2021-03-18T00:00:00", "dateUpdated": "2024-08-03T21:47:33.085Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devise_masquerade_project:devise_masquerade:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "79CC6B34-9869-474E-8C73-627B70DF22ED", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value became publicly known (for instance if it is committed to a public repository by mistake), there are still other protections in place that prevent an attacker from impersonating any user on the site. When masquerading is not used in a plain Devise application, one must know the password salt of the target user if one wants to encrypt and sign a valid session cookie. When devise_masquerade is used, however, an attacker can decide which user the \"back\" action will go back to without knowing that user's password salt and simply knowing the user ID, by manipulating the session cookie and pretending that a user is already masqueraded by an administrator."}, {"lang": "es", "value": "devise_masquerade gem versiones anteriores a 1.3, permite determinados ataques cuando se desconoce el salt de una contrase\u00f1a. Una aplicaci\u00f3n que usa esta gema para permitir a administradores enmascarar/impersonar a usuarios pierde una capa de protecci\u00f3n de seguridad en comparaci\u00f3n con una situaci\u00f3n en la que se usa Devise (sin esta extensi\u00f3n). Si el valor de secret_key_base del lado del servidor se hace p\u00fablicamente conocido (por ejemplo, si es comprometido a un repositorio p\u00fablico por error), todav\u00eda se presentan otras protecciones en el lugar que impiden a un atacante hacerse pasar por cualquier usuario en el sitio. Cuando no se usa el enmascaramiento en una aplicaci\u00f3n devise_masquerade, uno debe conocer el salt de la contrase\u00f1a del usuario objetivo si quiere cifrar y firmar una cookie de sesi\u00f3n v\u00e1lida. Sin embargo, cuando es usada devise_masquerade, un atacante puede decidir a qu\u00e9 usuario volver\u00e1 la acci\u00f3n \"back\" sin conocer el salt de la contrase\u00f1a de ese usuario y simplemente conociendo el ID del usuario, al manipular la cookie de sesi\u00f3n y fingiendo que un usuario ya est\u00e1 enmascarado por un administrador"}], "id": "CVE-2021-28680", "lastModified": "2024-11-21T06:00:07.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2021-12-07T21:15:08.133", "references": [{"source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/oivoodoo/devise_masquerade/issues/83"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/oivoodoo/devise_masquerade/issues/83"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://labanskoller.se/blog/2021/03/23/the-devise-extension-that-peeled-off-one-layer-of-the-security-onion-cve-2021-28680/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "[email protected]", "type": "Primary"}]}

{}