GHSA-26xx-m4q2-xhq8

Source

https://github.com/advisories/GHSA-26xx-m4q2-xhq8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-26xx-m4q2-xhq8/GHSA-26xx-m4q2-xhq8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-26xx-m4q2-xhq8

Aliases

CVE-2021-41275

Published

2021-11-18T20:14:19Z

Modified

2023-11-08T04:06:58.347585Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

Authentication Bypass by CSRF Weakness

Details

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

Executed whether as:
- A beforeaction callback (the default)
- A prependbeforeaction (option prepend: true given) before the :loadobject hook in Spree::UserController (most likely order to find).
Configured to use :nullsession or :resetsession strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spreeauthdevise 4.4.1 Spree 4.2 users should update to spreeauthdevise 4.2.1 Spree 4.1 users should update to spreeauthdevise 4.1.1 Older Spree version users should update to spreeauthdevise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rbto at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidusauthdevise/security/advisories/GHSA-xm34-v85h-9pg2

Database specific

{
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "github_reviewed_at": "2021-11-17T21:07:45Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

RubyGems / spree_auth_devise

Package

Name: spree_auth_devise
Purl: pkg:gem/spree_auth_devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.4.1

Affected versions

4.*

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.4.0

RubyGems / spree_auth_devise

Package

Name: spree_auth_devise
Purl: pkg:gem/spree_auth_devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

4.2.1

Affected versions

4.*

4.2.0

RubyGems / spree_auth_devise

Package

Name: spree_auth_devise
Purl: pkg:gem/spree_auth_devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.1

Affected versions

4.*

4.1.0

RubyGems / spree_auth_devise

Package

Name: spree_auth_devise
Purl: pkg:gem/spree_auth_devise

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.1

Affected versions

1.*

1.0.0

1.0.1

1.2.0

1.3.1

3.*

3.0.5

3.0.6

3.1.0

3.2.0.beta

3.2.0

3.3.0.rc1

3.3.0

3.3.1

3.3.3

3.4.0

3.4.1

3.4.2

3.5.0

3.5.1

3.5.2

4.*

4.0.0.rc1

4.0.0.rc2

4.0.0