CVE-2021-43846 CSRF forgery protection bypass for Spree::OrdersController#populate

2021-12-2021:30:11

CWE-352

GitHub_M

www.cve.org

solidus_frontend

csrf

forgery protection

spree::orderscontroller#populate

e-commerce

csrf token

vulnerability

mitigation

github security advisory

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

44.6%

JSON

solidus_frontend is the cart and storefront for the Solidus e-commerce project. Versions of solidus_frontend prior to 3.1.5, 3.0.5, and 2.11.14 contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user’s cart without their knowledge. Versions 3.1.5, 3.0.5, and 2.11.14 contain a patch for this issue. The patch adds CSRF token verification to the “Add to cart” action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory.

CNA Affected

[
  {
    "product": "solidus",
    "vendor": "solidusio",
    "versions": [
      {
        "status": "affected",
        "version": ">= 3.1.0, < 3.1.5"
      },
      {
        "status": "affected",
        "version": ">= 3.0.0, < 3.0.5"
      },
      {
        "status": "affected",
        "version": "< 2.11.14"
      }
    ]
  }
]