spree_auth_devise 3.5.0
Authentication Bypass by CSRF Weakness
critical severity GHSA-gpqc-4pp7-5954< 4.0.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery
method is both:
- Executed whether as:
- A before_action callback (the default)
- A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
- Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Thanks @waiting-for-dev for reporting and providing a patch 👏
Patches
Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
Add the following toconfig/application.rb
to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery with: :exception
end
References
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Authentication Bypass by CSRF Weakness
high severity CVE-2021-41275~> 4.0.1
, ~> 4.1.1
, ~> 4.2.1
, >= 4.4.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery
method is both:
- Executed whether as:
- A
before_action
callback (the default) - A
prepend_before_action
(optionprepend: true
given) before the:load_object
hook inSpree::UserController
(most likely order to find).
- A
- Configured to use
:null_session` or
:reset_sessionstrategies (``:null_session
is the default in case the no strategy is given, butrails --new
generated skeleton use ``:exception`).
That means that applications that haven't been configured differently from what is generated with Rails aren't affected.
Patches
- Spree 4.3 users should update to
spree_auth_devise
4.4.1 - Spree 4.2 users should update to
spree_auth_devise
4.2.1 - Spree 4.1 users should update to
spree_auth_devise
4.1.1 - Older Spree version users should update to
spree_auth_devise
4.0.1
Workarounds
If possible, change your strategy to :exception
:
class ApplicationController
< ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb
to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery
with: :exception
end
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.