GHSA-gpqc-4pp7-5954
- Source
- https://github.com/advisories/GHSA-gpqc-4pp7-5954
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-gpqc-4pp7-5954/GHSA-gpqc-4pp7-5954.json
- Published
- 2021-11-18T20:15:35Z
- Modified
- 2023-05-26T15:25:52.544534Z
- Details
-
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of
spree_auth_deviseare affected ifprotect_from_forgerymethod is both:- Executed whether as:
- A beforeaction callback (the default)
- A prependbeforeaction (option prepend: true given) before the :loadobject hook in Spree::UserController (most likely order to find).
- Configured to use :nullsession or :resetsession strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Thanks @waiting-for-dev for reporting and providing a patch 👏
Patches
Spree 4.3 users should update to spreeauthdevise 4.4.1 Spree 4.2 users should update to spreeauthdevise 4.2.1 Spree 4.1 users should update to spreeauthdevise 4.1.1 Older Spree version users should update to spreeauthdevise 4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController < ActionController::Base protect_from_forgery with: :exception endAdd the following to
config/application.rbto at least run the:exceptionstrategy on the affected controller:config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception endReferences
https://github.com/solidusio/solidusauthdevise/security/advisories/GHSA-xm34-v85h-9pg2
- Executed whether as:
- References
-
- https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
- https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml
- https://github.com/spree/spree_auth_devise