solidus_auth_devise 1.6.1

1 security vulnerability found in version 1.6.1

Authentication Bypass by CSRF Weakness

high severity CVE-2021-41274
high severity CVE-2021-41274
Patched versions: >= 2.5.4
Unaffected versions: < 1.0.0

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of solidus_auth_devise are affected if protect_from_forgery method is both:

  • Executed whether as:
    • A before_action callback (the default)
    • A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Patches

Users should promptly update to solidus_auth_devise version 2.5.4.

Workarounds

A couple of options:

  • If possible, change your strategy to :exception:

    class ApplicationController < ActionController::Base
    
       protect_from_forgery with: :exception
    end
    
  • Add the following to config/application.rb to at least run the :exception strategy on the affected controller:

    config.after_initialize do
      Spree::UsersController.protect_from_forgery
    with: :exception
    end
    
  • We've also released new Solidus versions monkey patching solidus_auth_devise with the quick fix. Those versions are v3.1.3, v.3.0.3 & v2.11.12. See GHSA-5629-8855-gf4g for details.

References

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.