spree_auth_devise 4.3.0
1 security vulnerability
found in version
4.3.0
Authentication Bypass by CSRF Weakness
high severity CVE-2021-41275
high severity
CVE-2021-41275
Patched versions:
~> 4.0.1
, ~> 4.1.1
, ~> 4.2.1
, >= 4.4.1
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery
method is both:
- Executed whether as:
- A
before_action
callback (the default) - A
prepend_before_action
(optionprepend: true
given) before the:load_object
hook inSpree::UserController
(most likely order to find).
- A
- Configured to use
:null_session` or
:reset_sessionstrategies (``:null_session
is the default in case the no strategy is given, butrails --new
generated skeleton use ``:exception`).
That means that applications that haven't been configured differently from what is generated with Rails aren't affected.
Patches
- Spree 4.3 users should update to
spree_auth_devise
4.4.1 - Spree 4.2 users should update to
spree_auth_devise
4.2.1 - Spree 4.1 users should update to
spree_auth_devise
4.1.1 - Older Spree version users should update to
spree_auth_devise
4.0.1
Workarounds
If possible, change your strategy to :exception
:
class ApplicationController
< ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb
to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery
with: :exception
end
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.