Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xeG1yLXF4aDYtMmNjOc0ZdQ
ReDos vulnerability on guest checkout email validation
Impact
Denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like a.a.
.
Before the patch, it can be reproduced in the console like this:
irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "[email protected].@"
processing time: 54.293660s
=> nil
To reproduce in the browser, fill in the "Customer Email" field with that fake email address during a guest checkout. Before that, you should open the browser dev tools and change the type
attribute for that field from email
to text
. After entering a fake address and pressing the "Save & Continue" button, the browser will take a long term to perform the request before showing an error message for the invalid address. Eventually, making the email string even longer could lead to the exhaustion of server resources.
Patches
Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression.
There's an improbable chance that some orders in your system end up having associated an email address that is no longer valid. We've added a task to check precisely that:
bin/rails solidus:check_orders_with_invalid_email
The above will print information for every affected order if any.
Workarounds
If a prompt upgrade is not an option, please, add the following to config/application.rb
:
config.after_initialize do
Spree::EmailValidator.send(:remove_const, :EMAIL_REGEXP)
Spree::EmailValidator::EMAIL_REGEXP = URI::MailTo::EMAIL_REGEXP
end
References
For more information
If you have any questions or comments about this advisory:
- Open an issue or a discussion in Solidus.
- Email us at [email protected]
- Contact the core team on Slack
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xeG1yLXF4aDYtMmNjOc0ZdQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-qxmr-qxh6-2cc9, CVE-2021-43805
References:
- https://github.com/solidusio/solidus/security/advisories/GHSA-qxmr-qxh6-2cc9
- https://github.com/solidusio/solidus/commit/6be174c955fad84017ca67589c676526bc5ade71
- https://nvd.nist.gov/vuln/detail/CVE-2021-43805
- https://github.com/solidusio/solidus/commit/9867153e01e3c3b898cdbcedd7b43375ea922401
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_core/CVE-2021-43805.yml
- https://github.com/advisories/GHSA-qxmr-qxh6-2cc9
Blast Radius: 20.8
Affected Packages
rubygems:solidus_core
Dependent packages: 108Dependent repositories: 593
Downloads: 2,501,144 total
Affected Version Ranges: >= 3.1.0, < 3.1.4, >= 3.0.0, < 3.0.4, < 2.11.13
Fixed in: 3.1.4, 3.0.4, 2.11.13
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.4.1, 1.4.2, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.4.2, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.5, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.1.2, 3.1.3
All unaffected versions: 2.11.13, 2.11.14, 2.11.15, 2.11.16, 2.11.17, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.4.4, 3.4.5, 3.4.6, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4