logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-31000 solidus_backend

Package

Manager: gem
Name: solidus_backend
Vulnerable Version: >=0 <2.11.16 || >=3.0.0 <3.0.6 || >=3.1.0 <3.1.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0016 pctl0.37463

Details

CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend ### Impact CSRF vulnerability allowing attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Reproduction steps: - Take an order's number. - Log in as an administrator. - Visit that order's adjustments section (_Orders -> {Click on number} -> Adjustments_) and check that its adjustments are finalized (closed padlock under the **State** column). - On another tab, visit `{your_site_url}/admin/orders/{order_number}/adjustments/unfinalize`. - Notice how the adjustments are unfinalized (open padlock), even if the previous was a `GET` request which could have been linked from any other site. - Visit `{your_site_url}/admin/orders/{order_number}/adjustments/finalize`. - Notice how the adjustments are again finalized. That happened because both routes were handled as `GET` requests, which are skipped by Rails anti-forgery protection. ### Patches Users should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use. ### References - [Rails CSRF protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html). ### For more information If you have any questions or comments about this advisory: - Open an [issue](https://github.com/solidusio/solidus/issues) or a [discussion](https://github.com/solidusio/solidus/discussions) in Solidus. - Email us at [security@solidus.io](mailto:security@soliidus.io) - Contact the core team on [Slack](http://slack.solidus.io/)

Metadata

Created: 2022-06-01T20:26:37Z
Modified: 2022-06-01T20:26:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-8639-qx56-r428/GHSA-8639-qx56-r428.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-8639-qx56-r428
Finding: F007
Auto approve: 1