CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of solidus_auth_devise
are affected if protect_from_forgery
method is both:
before_action
callback (the default)prepend_before_action
(option prepend: true
given) before the :load_object
hook in Spree::UserController
(most likely order to find).:null_session
or :reset_session
strategies (:null_session
is the default in case the no strategy is given, but rails --new
generated skeleton use :exception
).That means that applications that haven’t been configured differently from what it’s generated with Rails aren’t affected.
Users should promptly update to solidus_auth_devise
version 2.5.4
.
A couple of options:
If possible, change your strategy to :exception
:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb
to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery with: :exception
end
We’ve also released new Solidus versions monkey patching solidus_auth_devise
with the quick fix. Those versions are v3.1.3
, v.3.0.3
& v2.11.12
. See GHSA-5629-8855-gf4g for details.
We’d like to thank vampire000 for reporting this issue.
If you have any questions or comments about this advisory:
github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_auth_devise/CVE-2021-41274.yml
github.com/solidusio/solidus_auth_devise
github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555
github.com/solidusio/solidus_auth_devise/releases/tag/v2.5.4
github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
nvd.nist.gov/vuln/detail/CVE-2021-41274