GHSA-5629-8855-gf4g – solidus_core

Package

Manager: gem
Name: solidus_core
Vulnerable Version: >=0 <2.11.12 || >=3.0.0 <3.0.3 || >=3.1.0 <3.1.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Authentication Bypass by CSRF Weakness ### Impact The actual vulnerability has been discovered on `solidus_auth_devise`. See [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2) for details. The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update `solidus_auth_devise`. For this reason, it has been marked as low impact on this end. ### Patches For extra security, update `solidus_core` to versions `3.1.3`, `3.0.3` or `2.11.12`. ### Workarounds Look at the workarounds described at [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2). ### References - [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2). ### For more information If you have any questions or comments about this advisory: * Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions) * Email us at [security@solidus.io](mailto:security@soliidus.io) * Contact the core team on [Slack](http://slack.solidus.io/)

Metadata

Created: 2021-11-18T20:12:40Z
Modified: 2021-11-17T21:07:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-5629-8855-gf4g/GHSA-5629-8855-gf4g.json
CWE IDs: ["CWE-305", "CWE-352"]
Alternative ID: N/A
Finding: F007
Auto approve: 1