solidus_core 1.3.0.rc2

2 security vulnerabilities found in version 1.3.0.rc2

Authentication Bypass by CSRF Weakness

high severity GHSA-5629-8855-gf4g
high severity GHSA-5629-8855-gf4g
Patched versions: >= 3.1.3, ~> 3.0.3, ~> 2.11.12

Impact

The actual vulnerability has been discovered on solidus_auth_devise. See GHSA-xm34-v85h-9pg2 for details.

The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update solidus_auth_devise. For this reason, it has been marked as low impact on this end.

Patches

For extra security, update solidus_core to versions 3.1.3, 3.0.3, or 2.11.12.

Workarounds

Look at the workarounds described at GHSA-xm34-v85h-9pg2.

ReDos vulnerability on guest checkout email validation

high severity CVE-2021-43805
high severity CVE-2021-43805
Patched versions: ~> 2.11.13, ~> 3.0.4, >= 3.1.4

Impact

Denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like a.a..

Before the patch, it can be reproduced in the console like this:

irb(main)> Spree::EmailValidator::EMAIL_REGEXP.match "a@a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.@"
processing time: 54.293660s
=> nil

To reproduce in the browser, fill in the "Customer Email" field with that fake email address during a guest checkout. Before that, you should open the browser dev tools and change the type attribute for that field from email to text. After entering a fake address and pressing the "Save & Continue" button, the browser will take a long term to perform the request before showing an error message for the invalid address. Eventually, making the email string even longer could lead to the exhaustion of server resources.

Patches

Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression.

There's an improbable chance that some orders in your system end up having associated an email address that is no longer valid. We've added a task to check precisely that:

bin/rails solidus:check_orders_with_invalid_email

The above will print information for every affected order if any.

Workarounds

If a prompt upgrade is not an option, please, add the following to config/application.rb:

config.after_initialize do
  Spree::EmailValidator.send(:remove_const, :EMAIL_REGEXP)
  Spree::EmailValidator::EMAIL_REGEXP = URI::MailTo::EMAIL_REGEXP
end

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.