Cross-site request forgery In spree_auth_devise
Description
Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:
Executed whether as:
A before_action callback (the default)
A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Thanks @waiting-for-dev for reporting and providing a patch 👏
Patches
Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController < ActionController::Base protect_from_forgery with: :exception end
Add the following toconfig/application.rb to at least run the :exception strategy on the affected controller:
config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end
References
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 rubygems | 4.4.1, 4.2.1, 4.1.1, 4.0.1 |
Aliases
References