CVE-2021-41275

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-41275
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41275.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-41275
Aliases
Related
Published
2021-11-17T20:15:10Z
Modified
2025-01-15T02:05:21.052548Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

spreeauthdevise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spreeauthdevise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spreeauthdevise are affected if protectfromforgery method is both: Executed whether as: A beforeaction callback (the default). A prependbeforeaction (option prepend: true given) before the :loadobject hook in Spree::UserController (most likely order to find). Configured to use :nullsession or :resetsession strategies (:nullsession is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spreeauthdevise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: * Executed whether as: * A beforeaction callback (the default) * A prependbeforeaction (option prepend: true given) before the :loadobject hook in Spree::UserController (most likely order to find). * Configured to use :nullsession or :resetsession strategies (:nullsession is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch �� ### Patches Spree 4.3 users should update to spreeauthdevise 4.4.1 Spree 4.2 users should update to spreeauthdevise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end Add the following toconfig/application.rbto at least run the :exception strategy on the affected controller: ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ### References https://github.com/solidusio/solidusauthdevise/security/advisories/GHSA-xm34-v85h-9pg2

References

Affected packages

Git / github.com/spree/spree_auth_devise

Affected ranges

Type
GIT
Repo
https://github.com/spree/spree_auth_devise
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed

Affected versions

v.*

v.3.4.0

v3.*

v3.1.0
v3.2.0
v3.3.0
v3.3.0.rc1
v3.3.1
v3.3.2
v3.3.3
v3.4.1
v3.4.2
v3.5.0

v4.*

v4.0.0
v4.0.0.rc1
v4.0.0.rc2
v4.1.0
v4.1.0.rc1
v4.2.0
v4.3.0
v4.3.3
v4.3.4
v4.4.0