Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14bTM0LXY4NWgtOXBnMs0XUA
Authentication Bypass by CSRF Weakness
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of solidus_auth_devise are affected if protect_from_forgery method is both:
- Executed whether as:
- A
before_actioncallback (the default) - A
prepend_before_action(optionprepend: truegiven) before the:load_objecthook inSpree::UserController(most likely order to find).
- A
- Configured to use
:null_sessionor:reset_sessionstrategies (:null_sessionis the default in case the no strategy is given, butrails --newgenerated skeleton use:exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Patches
Users should promptly update to solidus_auth_devise version 2.5.4.
Workarounds
A couple of options:
-
If possible, change your strategy to
:exception:class ApplicationController < ActionController::Base protect_from_forgery with: :exception end -
Add the following to
config/application.rbto at least run the:exceptionstrategy on the affected controller:config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end -
We've also released new Solidus versions monkey patching
solidus_auth_devisewith the quick fix. Those versions arev3.1.3,v.3.0.3&v2.11.12. See GHSA-5629-8855-gf4g for details.
References
Thanks
We'd like to thank vampire000 for reporting this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue in solidus_auth_devise or a discussion in solidus
- Email us at [email protected]
- Contact the core team on Slack
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14bTM0LXY4NWgtOXBnMs0XUA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Identifiers: GHSA-xm34-v85h-9pg2, CVE-2021-41274
References:
- https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
- https://github.com/solidusio/solidus_auth_devise/releases/tag/v2.5.4
- https://nvd.nist.gov/vuln/detail/CVE-2021-41274
- https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_auth_devise/CVE-2021-41274.yml
- https://github.com/advisories/GHSA-xm34-v85h-9pg2
Blast Radius: 25.6
Affected Packages
rubygems:solidus_auth_devise
Dependent packages: 13Dependent repositories: 572
Downloads: 2,288,384 total
Affected Version Ranges: >= 1.0.0, < 2.5.4
Fixed in: 2.5.4
All affected versions: 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3
All unaffected versions: 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9