spree_auth_devise 1.0.1
Authentication Bypass by CSRF Weakness
critical severity GHSA-gpqc-4pp7-5954< 4.0.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:
- Executed whether as:
- A before_action callback (the default)
- A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
- Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Thanks @waiting-for-dev for reporting and providing a patch 👏
Patches
Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
Add the following toconfig/application.rb to at least run the :exception strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery with: :exception
end
References
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Authentication Bypass by CSRF Weakness
high severity CVE-2021-41275~> 4.0.1, ~> 4.1.1, ~> 4.2.1, >= 4.4.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery method is both:
- Executed whether as:
- A
before_actioncallback (the default) - A
prepend_before_action(optionprepend: truegiven) before the:load_objecthook inSpree::UserController(most likely order to find).
- A
- Configured to use
:null_session` or:reset_sessionstrategies (``:null_sessionis the default in case the no strategy is given, butrails --newgenerated skeleton use ``:exception`).
That means that applications that haven't been configured differently from what is generated with Rails aren't affected.
Patches
- Spree 4.3 users should update to
spree_auth_devise4.4.1 - Spree 4.2 users should update to
spree_auth_devise4.2.1 - Spree 4.1 users should update to
spree_auth_devise4.1.1 - Older Spree version users should update to
spree_auth_devise4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController
< ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery
with: :exception
end
Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation
medium severity CVE-2013-2506~> 1.1.6, ~> 1.2.0, >= 1.3.0
Spree contains a flaw that leads to unauthorized privileges being gained. The issue is triggered as certain input related to mass role assignment in app/models/spree/user.rb is not properly verified before being used to update a user. This may allow a remote attacker to assign arbitrary roles and gain elevated administrative privileges.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a BSD-3-Clause license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.