GHSA-xm34-v85h-9pg2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xm34-v85h-9pg2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-xm34-v85h-9pg2/GHSA-xm34-v85h-9pg2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xm34-v85h-9pg2
- Aliases
- Published
- 2021-11-18T20:09:32Z
- Modified
- 2023-11-08T04:06:58.287053Z
- Severity
-
- 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- Summary
- Authentication Bypass by CSRF Weakness
- Details
-
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of
solidus_auth_deviseare affected ifprotect_from_forgerymethod is both: - Executed whether as: - Abefore_actioncallback (the default) - Aprepend_before_action(optionprepend: truegiven) before the:load_objecthook inSpree::UserController(most likely order to find). - Configured to use:null_sessionor:reset_sessionstrategies (:null_sessionis the default in case the no strategy is given, butrails --newgenerated skeleton use:exception).That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Patches
Users should promptly update to
solidus_auth_deviseversion2.5.4.Workarounds
A couple of options:
If possible, change your strategy to
:exception:class ApplicationController < ActionController::Base protect_from_forgery with: :exception endAdd the following to
config/application.rbto at least run the:exceptionstrategy on the affected controller:config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception endWe've also released new Solidus versions monkey patching
solidus_auth_devisewith the quick fix. Those versions arev3.1.3,v.3.0.3&v2.11.12. See GHSA-5629-8855-gf4g for details.
References
Thanks
We'd like to thank vampire000 for reporting this issue.
For more information
If you have any questions or comments about this advisory: * Open an issue in solidusauthdevise or a discussion in solidus * Email us at security@solidus.io * Contact the core team on Slack
- Database specific
{ "nvd_published_at": "2021-11-17T20:15:00Z", "github_reviewed_at": "2021-11-17T19:57:48Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-352" ] }- References
-
- https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
- https://nvd.nist.gov/vuln/detail/CVE-2021-41274
- https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_auth_devise/CVE-2021-41274.yml
- https://github.com/solidusio/solidus_auth_devise
- https://github.com/solidusio/solidus_auth_devise/releases/tag/v2.5.4
Affected packages
RubyGems / solidus_auth_devise
Package
- Name
- solidus_auth_devise
- Purl
- pkg:gem/solidus_auth_devise