solidus_auth_devise 1.2.0
Authentication Bypass by CSRF Weakness
high severity CVE-2021-41274>= 2.5.4
< 1.0.0
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of solidus_auth_devise
are affected if protect_from_forgery
method is both:
- Executed whether as:
- A
before_action
callback (the default) - A
prepend_before_action
(optionprepend: true
given) before the:load_object
hook inSpree::UserController
(most likely order to find).
- A
- Configured to use
:null_session
or:reset_session
strategies (:null_session
is the default in case the no strategy is given, butrails --new
generated skeleton use:exception
).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Patches
Users should promptly update to solidus_auth_devise
version 2.5.4
.
Workarounds
A couple of options:
-
If possible, change your strategy to
:exception
:class ApplicationController < ActionController::Base protect_from_forgery with: :exception end
-
Add the following to
config/application.rb
to at least run the:exception
strategy on the affected controller:config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end
-
We've also released new Solidus versions monkey patching
solidus_auth_devise
with the quick fix. Those versions arev3.1.3
,v.3.0.3
&v2.11.12
. See GHSA-5629-8855-gf4g for details.
References
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.