logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-43805 solidus_core

Package

Manager: gem
Name: solidus_core
Vulnerable Version: >=0 <2.11.13 || >=3.0.0 <3.0.4 || >=3.1.0 <3.1.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00118 pctl0.31395

Details

ReDos vulnerability on guest checkout email validation ### Impact Denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like `a.a.`. Before the patch, it can be reproduced in the console like this: ```ruby irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@" processing time: 54.293660s => nil ``` To reproduce in the browser, fill in the "Customer Email" field with that fake email address during a guest checkout. Before that, you should open the browser dev tools and change the `type` attribute for that field from `email` to `text`. After entering a fake address and pressing the "Save & Continue" button, the browser will take a long term to perform the request before showing an error message for the invalid address. Eventually, making the email string even longer could lead to the exhaustion of server resources. ### Patches Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression. There's an improbable chance that some orders in your system end up having associated an email address that is no longer valid. We've added a task to check precisely that: ```bash bin/rails solidus:check_orders_with_invalid_email ``` The above will print information for every affected order if any. ### Workarounds If a prompt upgrade is not an option, please, add the following to `config/application.rb`: ```ruby config.after_initialize do Spree::EmailValidator.send(:remove_const, :EMAIL_REGEXP) Spree::EmailValidator::EMAIL_REGEXP = URI::MailTo::EMAIL_REGEXP end ``` ### References - https://en.wikipedia.org/wiki/ReDoS - https://snyk.io/blog/redos-and-catastrophic-backtracking/ ### For more information If you have any questions or comments about this advisory: * Open an [issue](https://github.com/solidusio/solidus/issues) or a [discussion](https://github.com/solidusio/solidus/discussions) in Solidus. * Email us at [security@solidus.io](mailto:security@soliidus.io) * Contact the core team on [Slack](http://slack.solidus.io/)

Metadata

Created: 2021-12-07T22:01:47Z
Modified: 2021-12-08T19:29:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qxmr-qxh6-2cc9/GHSA-qxmr-qxh6-2cc9.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-qxmr-qxh6-2cc9
Finding: F211
Auto approve: 1