Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:SOLIDUS_AUTH_DEVISE-2021-41274
HistoryNov 17, 2021 - 9:00 p.m.

Authentication Bypass by CSRF Weakness

2021-11-1721:00:00
RubySec
github.com
6
csrf
vulnerability
user account takeover
solidus_auth_devise
protect_from_forgery
version 2.5.4
rails
strategy
exception
quick fix
ghsa-5629-8855-gf4g
rails guides
solidus security
patches
workarounds

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

JSON

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of solidus_auth_devise
are affected if protect_from_forgery method is both:

  • Executed whether as:
    • A before_action callback (the default)
    • A prepend_before_action (option prepend: true given) before the
      :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session or :reset_session strategies
    (:null_session is the default in case the no strategy is given, but
    rails --new generated skeleton use :exception).

That means that applications that haven’t been configured differently from
what it’s generated with Rails aren’t affected.

Patches

Users should promptly update to solidus_auth_devise version 2.5.4.

Workarounds

A couple of options:

  • If possible, change your strategy to :exception:

    class ApplicationController < ActionController::Base

   protect_from_forgery with: :exception
end

  • Add the following to config/application.rb to at least run the :exception
    strategy on the affected controller:

    config.after_initialize do
  Spree::UsersController.protect_from_forgery
with: :exception
end

  • We’ve also released new Solidus versions monkey patching solidus_auth_devise
    with the quick fix. Those versions are v3.1.3, v.3.0.3 & v2.11.12. See
    GHSA-5629-8855-gf4g
    for details.

References

Affected configurations

Vulners
Node
rubysolidus_auth_deviseRange2.5.4
VendorProductVersionCPE
rubysolidus_auth_devise*cpe:2.3:a:ruby:solidus_auth_devise:*:*:*:*:*:*:*:*

Related

osv 2
github 1
veracode 1
cnvd 1
nvd 1
prion 1
cvelist 1
cve 1
osv
osv
Authentication Bypass by CSRF Weakness
2021-11-18 20:09:32
CVE-2021-41274
2021-11-17 20:15:10
github
github
Authentication Bypass by CSRF Weakness
2021-11-18 20:09:32
veracode
veracode
Authentication Bypass
2021-11-18 04:29:28
cnvd
cnvd
Solidus Cross-Site Request Forgery Vulnerability
2021-11-22 00:00:00
nvd
nvd
CVE-2021-41274
2021-11-17 20:15:10
prion
prion
Cross site request forgery (csrf)
2021-11-17 20:15:00
cvelist
cvelist
CVE-2021-41274 Authentication Bypass by CSRF Weakness
2021-11-17 19:55:11
cve
cve
CVE-2021-41274
2021-11-17 20:15:10

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

JSON
Related for RUBY:SOLIDUS_AUTH_DEVISE-2021-41274
osv2github1veracode1cnvd1nvd1prion1cvelist1cve1