logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-41274 solidus_auth_devise

Package

Manager: gem
Name: solidus_auth_devise
Vulnerable Version: >=1.0.0 <2.5.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00106 pctl0.29274

Details

Authentication Bypass by CSRF Weakness ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: - Executed whether as: - A `before_action` callback (the default) - A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). - Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. ### Patches Users should promptly update to `solidus_auth_devise` version `2.5.4`. ### Workarounds A couple of options: - If possible, change your strategy to `:exception`: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` - Add the following to `config/application.rb` to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` - We've also released new Solidus versions monkey patching `solidus_auth_devise` with the quick fix. Those versions are `v3.1.3`, `v.3.0.3` & `v2.11.12`. See [GHSA-5629-8855-gf4g](https://github.com/solidusio/solidus/security/advisories/GHSA-5629-8855-gf4g) for details. ### References - [CSRF on the Rails guides](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) - [Solidus security](https://solidus.io/security/) ### Thanks We'd like to thank [vampire000](https://hackerone.com/vampire000) for reporting this issue. ### For more information If you have any questions or comments about this advisory: * Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions) * Email us at [security@solidus.io](mailto:security@soliidus.io) * Contact the core team on [Slack](http://slack.solidus.io/)

Metadata

Created: 2021-11-18T20:09:32Z
Modified: 2021-11-17T19:57:48Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-xm34-v85h-9pg2/GHSA-xm34-v85h-9pg2.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-xm34-v85h-9pg2
Finding: F007
Auto approve: 1