spree_auth_devise 1.0.1

3 security vulnerabilities found in version 1.0.1

Authentication Bypass by CSRF Weakness

critical severity GHSA-gpqc-4pp7-5954
critical severity GHSA-gpqc-4pp7-5954
Affected versions: < 4.0.1

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

  • Executed whether as:
    • A before_action callback (the default)
    • A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rb to at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Authentication Bypass by CSRF Weakness

high severity CVE-2021-41275
high severity CVE-2021-41275
Patched versions: ~> 4.0.1, ~> 4.1.1, ~> 4.2.1, >= 4.4.1

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

  • Executed whether as:
    • A before_action callback (the default)
    • A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session` or :reset_session strategies (``:null_session is the default in case the no strategy is given, but rails --new generated skeleton use ``:exception`).

That means that applications that haven't been configured differently from what is generated with Rails aren't affected.

Patches

  • Spree 4.3 users should update to spree_auth_devise 4.4.1
  • Spree 4.2 users should update to spree_auth_devise 4.2.1
  • Spree 4.1 users should update to spree_auth_devise 4.1.1
  • Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController
  < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following to config/application.rb to at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery
  with: :exception
end

Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation

medium severity CVE-2013-2506
medium severity CVE-2013-2506
Patched versions: ~> 1.1.6, ~> 1.2.0, >= 1.3.0

Spree contains a flaw that leads to unauthorized privileges being gained. The issue is triggered as certain input related to mass role assignment in app/models/spree/user.rb is not properly verified before being used to update a user. This may allow a remote attacker to assign arbitrary roles and gain elevated administrative privileges.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a BSD-3-Clause license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.