cvelistv5 - CVE-2021-41274

CVE-2021-41274 (GCVE-0-2021-41274)

Vulnerability from cvelistv5 – Published: 2021-11-17 19:55 – Updated: 2024-08-04 03:08

Summary

solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/solidusio/solidus_auth_devise/…	x_refsource_CONFIRM
	https://github.com/solidusio/solidus_auth_devise/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	solidusio	solidus_auth_devise	Affected: >= 1.0.0, < 2.5.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.696Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "solidus_auth_devise",
          "vendor": "solidusio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 2.5.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-17T19:55:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
        }
      ],
      "source": {
        "advisory": "GHSA-xm34-v85h-9pg2",
        "discovery": "UNKNOWN"
      },
      "title": "Authentication Bypass by CSRF Weakness",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41274",
          "STATE": "PUBLIC",
          "TITLE": "Authentication Bypass by CSRF Weakness"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "solidus_auth_devise",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 1.0.0, \u003c 2.5.4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "solidusio"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
              "refsource": "CONFIRM",
              "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
            },
            {
              "name": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555",
              "refsource": "MISC",
              "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-xm34-v85h-9pg2",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41274",
    "datePublished": "2021-11-17T19:55:11",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.696Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nebulab:solidus_auth_devise:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"1.0.0\", \"versionEndExcluding\": \"2.5.4\", \"matchCriteriaId\": \"CADA35C1-B317-4F1A-9486-410440DC1063\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.\"}, {\"lang\": \"es\", \"value\": \"solidus_auth_devise proporciona servicios de autenticaci\\u00f3n para el framework Solidus webstore, usando la gema Devise. En las versiones afectadas, solidus_auth_devise est\\u00e1 sujeto a una vulnerabilidad de tipo CSRF que permite la toma de posesi\\u00f3n de cuentas de usuario. Todas las aplicaciones que usan cualquier versi\\u00f3n del componente frontend de \\\"solidus_auth_devise\\\" est\\u00e1n afectadas si el m\\u00e9todo \\\"protect_from_forgery\\\" es ambos: Se ejecuta como: Una devoluci\\u00f3n de llamada \\\"before_action\\\" (la predeterminada) o Una \\\"prepend_before_action\\\" (opci\\u00f3n \\\"prepend: true\\\" dada) antes del hook \\\":load_object\\\" en \\\"Spree::UserController\\\" (orden m\\u00e1s probable de encontrar). Configurado para usar las estrategias \\\":null_session\\\" o \\\":reset_session\\\" (\\\":null_session\\\" es la predeterminada en caso de que no se d\\u00e9 ninguna estrategia, pero el esqueleto generado por \\\"rails --new\\\" usa \\\":exception\\\"). Los usuarios deber\\u00edan actualizar r\\u00e1pidamente a la versi\\u00f3n \\\"solidus_auth_devise\\\" \\\"2.5.4\\\". Los usuarios que no puedan actualizar deber\\u00edan, si es posible, cambiar su estrategia a \\\":exception\\\". Por favor, consulte el enlace GHSA para m\\u00e1s detalles sobre la soluci\\u00f3n.\"}]",
      "id": "CVE-2021-41274",
      "lastModified": "2024-11-21T06:25:56.540",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-11-17T20:15:10.463",
      "references": "[{\"url\": \"https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41274\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-11-17T20:15:10.463\",\"lastModified\":\"2024-11-21T06:25:56.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.\"},{\"lang\":\"es\",\"value\":\"solidus_auth_devise proporciona servicios de autenticaci\u00f3n para el framework Solidus webstore, usando la gema Devise. En las versiones afectadas, solidus_auth_devise est\u00e1 sujeto a una vulnerabilidad de tipo CSRF que permite la toma de posesi\u00f3n de cuentas de usuario. Todas las aplicaciones que usan cualquier versi\u00f3n del componente frontend de \\\"solidus_auth_devise\\\" est\u00e1n afectadas si el m\u00e9todo \\\"protect_from_forgery\\\" es ambos: Se ejecuta como: Una devoluci\u00f3n de llamada \\\"before_action\\\" (la predeterminada) o Una \\\"prepend_before_action\\\" (opci\u00f3n \\\"prepend: true\\\" dada) antes del hook \\\":load_object\\\" en \\\"Spree::UserController\\\" (orden m\u00e1s probable de encontrar). Configurado para usar las estrategias \\\":null_session\\\" o \\\":reset_session\\\" (\\\":null_session\\\" es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero el esqueleto generado por \\\"rails --new\\\" usa \\\":exception\\\"). Los usuarios deber\u00edan actualizar r\u00e1pidamente a la versi\u00f3n \\\"solidus_auth_devise\\\" \\\"2.5.4\\\". Los usuarios que no puedan actualizar deber\u00edan, si es posible, cambiar su estrategia a \\\":exception\\\". Por favor, consulte el enlace GHSA para m\u00e1s detalles sobre la soluci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nebulab:solidus_auth_devise:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"1.0.0\",\"versionEndExcluding\":\"2.5.4\",\"matchCriteriaId\":\"CADA35C1-B317-4F1A-9486-410440DC1063\"}]}]}],\"references\":[{\"url\":\"https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}"
  }
}

GSD-2021-41274

Vulnerability from gsd - Updated: 2021-11-18 00:00

Details

### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: - Executed whether as: - A `before_action` callback (the default) - A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). - Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. ### Patches Users should promptly update to `solidus_auth_devise` version `2.5.4`. ### Workarounds A couple of options: - If possible, change your strategy to `:exception`: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` - Add the following to `config/application.rb` to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` - We've also released new Solidus versions monkey patching `solidus_auth_devise` with the quick fix. Those versions are `v3.1.3`, `v.3.0.3` & `v2.11.12`. See [GHSA-5629-8855-gf4g](https://github.com/solidusio/solidus/security/advisories/GHSA-5629-8855-gf4g) for details. ### References - [CSRF on the Rails guides](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) - [Solidus security](https://solidus.io/security/)

Aliases

CVE-2021-41274

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41274",
    "description": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.",
    "id": "GSD-2021-41274"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "solidus_auth_devise",
            "purl": "pkg:gem/solidus_auth_devise"
          }
        }
      ],
      "aliases": [
        "CVE-2021-41274",
        "GHSA-xm34-v85h-9pg2"
      ],
      "details": "### Impact\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `solidus_auth_devise`\nare affected if `protect_from_forgery` method is both:\n- Executed whether as:\n  - A `before_action` callback (the default)\n  - A `prepend_before_action` (option `prepend: true` given) before the\n    `:load_object` hook in `Spree::UserController` (most likely order to find).\n- Configured to use `:null_session` or `:reset_session` strategies\n  (`:null_session` is the default in case the no strategy is given, but\n  `rails --new` generated skeleton use `:exception`).\n\nThat means that applications that haven\u0027t been configured differently from\nwhat it\u0027s generated with Rails aren\u0027t affected.\n\n### Patches\nUsers should promptly update to `solidus_auth_devise` version `2.5.4`.\n\n### Workarounds\nA couple of options:\n\n- If possible, change your strategy to `:exception`:\n  ```ruby\n  class ApplicationController \u003c ActionController::Base\n\n     protect_from_forgery with: :exception\n  end\n  ```\n\n- Add the following to `config/application.rb` to at least run the `:exception`\n  strategy on the affected controller:\n  ```ruby\n  config.after_initialize do\n    Spree::UsersController.protect_from_forgery\n  with: :exception\n  end\n  ```\n\n- We\u0027ve also released new Solidus versions monkey patching `solidus_auth_devise`\n  with the quick fix. Those versions are `v3.1.3`, `v.3.0.3` \u0026 `v2.11.12`. See\n  [GHSA-5629-8855-gf4g](https://github.com/solidusio/solidus/security/advisories/GHSA-5629-8855-gf4g)\n  for details.\n\n### References\n- [CSRF on the Rails guides](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)\n- [Solidus security](https://solidus.io/security/)\n",
      "id": "GSD-2021-41274",
      "modified": "2021-11-18T00:00:00.000Z",
      "published": "2021-11-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 9.3,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Authentication Bypass by CSRF Weakness"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41274",
        "STATE": "PUBLIC",
        "TITLE": "Authentication Bypass by CSRF Weakness"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "solidus_auth_devise",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 1.0.0, \u003c 2.5.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "solidusio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
            "refsource": "CONFIRM",
            "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
          },
          {
            "name": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555",
            "refsource": "MISC",
            "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-xm34-v85h-9pg2",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-41274",
      "cvss_v3": 9.3,
      "date": "2021-11-18",
      "description": "### Impact\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `solidus_auth_devise`\nare affected if `protect_from_forgery` method is both:\n- Executed whether as:\n  - A `before_action` callback (the default)\n  - A `prepend_before_action` (option `prepend: true` given) before the\n    `:load_object` hook in `Spree::UserController` (most likely order to find).\n- Configured to use `:null_session` or `:reset_session` strategies\n  (`:null_session` is the default in case the no strategy is given, but\n  `rails --new` generated skeleton use `:exception`).\n\nThat means that applications that haven\u0027t been configured differently from\nwhat it\u0027s generated with Rails aren\u0027t affected.\n\n### Patches\nUsers should promptly update to `solidus_auth_devise` version `2.5.4`.\n\n### Workarounds\nA couple of options:\n\n- If possible, change your strategy to `:exception`:\n  ```ruby\n  class ApplicationController \u003c ActionController::Base\n\n     protect_from_forgery with: :exception\n  end\n  ```\n\n- Add the following to `config/application.rb` to at least run the `:exception`\n  strategy on the affected controller:\n  ```ruby\n  config.after_initialize do\n    Spree::UsersController.protect_from_forgery\n  with: :exception\n  end\n  ```\n\n- We\u0027ve also released new Solidus versions monkey patching `solidus_auth_devise`\n  with the quick fix. Those versions are `v3.1.3`, `v.3.0.3` \u0026 `v2.11.12`. See\n  [GHSA-5629-8855-gf4g](https://github.com/solidusio/solidus/security/advisories/GHSA-5629-8855-gf4g)\n  for details.\n\n### References\n- [CSRF on the Rails guides](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)\n- [Solidus security](https://solidus.io/security/)\n",
      "gem": "solidus_auth_devise",
      "ghsa": "xm34-v85h-9pg2",
      "patched_versions": [
        "\u003e= 2.5.4"
      ],
      "title": "Authentication Bypass by CSRF Weakness",
      "unaffected_versions": [
        "\u003c 1.0.0"
      ],
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.0.0 \u003c2.5.4",
          "affected_versions": "All versions starting from 1.0.0 before 2.5.4",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2021-11-24",
          "description": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem.Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`).",
          "fixed_versions": [
            "2.5.4"
          ],
          "identifier": "CVE-2021-41274",
          "identifiers": [
            "CVE-2021-41274",
            "GHSA-xm34-v85h-9pg2"
          ],
          "not_impacted": "All versions before 1.0.0, all versions starting from 2.5.4",
          "package_slug": "gem/solidus_auth_devise",
          "pubdate": "2021-11-17",
          "solution": "Upgrade to version 2.5.4 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41274",
            "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
            "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
          ],
          "uuid": "13293296-6f7f-4f19-a2a3-edcbeb474128"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nebulab:solidus_auth_devise:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.5.4",
                "versionStartIncluding": "1.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41274"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
            },
            {
              "name": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-24T04:48Z",
      "publishedDate": "2021-11-17T20:15Z"
    }
  }
}

GHSA-XM34-V85H-9PG2

Vulnerability from github – Published: 2021-11-18 20:09 – Updated: 2021-11-17 19:57

Summary

Authentication Bypass by CSRF Weakness

Details

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of solidus_auth_devise are affected if protect_from_forgery method is both: - Executed whether as: - A before_action callback (the default) - A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). - Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Patches

Users should promptly update to solidus_auth_devise version 2.5.4.

Workarounds

A couple of options:

If possible, change your strategy to :exception: ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end
Add the following to config/application.rb to at least run the :exception strategy on the affected controller: ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end
We've also released new Solidus versions monkey patching solidus_auth_devise with the quick fix. Those versions are v3.1.3, v.3.0.3 & v2.11.12. See GHSA-5629-8855-gf4g for details.

References

Thanks

We'd like to thank vampire000 for reporting this issue.

For more information

If you have any questions or comments about this advisory: * Open an issue in solidus_auth_devise or a discussion in solidus * Email us at security@solidus.io * Contact the core team on Slack

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "solidus_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T19:57:48Z",
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of  `solidus_auth_devise` are affected if `protect_from_forgery` method is both: \n- Executed whether as:\n  - A `before_action` callback (the default)\n  - A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find).\n- Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`).\n\nThat means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected.\n\n### Patches\nUsers should promptly update to `solidus_auth_devise` version `2.5.4`.\n\n### Workarounds\nA couple of options:\n\n- If possible, change your strategy to `:exception`:\n  ```ruby\n  class ApplicationController \u003c ActionController::Base\n    protect_from_forgery with: :exception\n  end\n  ```\n\n- Add the following to `config/application.rb` to at least run the `:exception` strategy on the affected controller:\n  ```ruby\n  config.after_initialize do\n    Spree::UsersController.protect_from_forgery with: :exception\n  end\n  ```\n\n- We\u0027ve also released new Solidus versions monkey patching `solidus_auth_devise` with the quick fix. Those versions are `v3.1.3`, `v.3.0.3` \u0026 `v2.11.12`. See [GHSA-5629-8855-gf4g](https://github.com/solidusio/solidus/security/advisories/GHSA-5629-8855-gf4g) for details.\n\n### References\n- [CSRF on the Rails guides](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)\n- [Solidus security](https://solidus.io/security/)\n\n### Thanks\nWe\u0027d like to thank [vampire000](https://hackerone.com/vampire000) for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions)\n* Email us at [security@solidus.io](mailto:security@soliidus.io)\n* Contact the core team on [Slack](http://slack.solidus.io/)\n",
  "id": "GHSA-xm34-v85h-9pg2",
  "modified": "2021-11-17T19:57:48Z",
  "published": "2021-11-18T20:09:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_auth_devise/CVE-2021-41274.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/solidusio/solidus_auth_devise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/releases/tag/v2.5.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication Bypass by CSRF Weakness"
}

FKIE_CVE-2021-41274

Vulnerability from fkie_nvd - Published: 2021-11-17 20:15 - Updated: 2024-11-21 06:25

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	nebulab	solidus_auth_devise	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nebulab:solidus_auth_devise:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "CADA35C1-B317-4F1A-9486-410440DC1063",
              "versionEndExcluding": "2.5.4",
              "versionStartIncluding": "1.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."
    },
    {
      "lang": "es",
      "value": "solidus_auth_devise proporciona servicios de autenticaci\u00f3n para el framework Solidus webstore, usando la gema Devise. En las versiones afectadas, solidus_auth_devise est\u00e1 sujeto a una vulnerabilidad de tipo CSRF que permite la toma de posesi\u00f3n de cuentas de usuario. Todas las aplicaciones que usan cualquier versi\u00f3n del componente frontend de \"solidus_auth_devise\" est\u00e1n afectadas si el m\u00e9todo \"protect_from_forgery\" es ambos: Se ejecuta como: Una devoluci\u00f3n de llamada \"before_action\" (la predeterminada) o Una \"prepend_before_action\" (opci\u00f3n \"prepend: true\" dada) antes del hook \":load_object\" en \"Spree::UserController\" (orden m\u00e1s probable de encontrar). Configurado para usar las estrategias \":null_session\" o \":reset_session\" (\":null_session\" es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero el esqueleto generado por \"rails --new\" usa \":exception\"). Los usuarios deber\u00edan actualizar r\u00e1pidamente a la versi\u00f3n \"solidus_auth_devise\" \"2.5.4\". Los usuarios que no puedan actualizar deber\u00edan, si es posible, cambiar su estrategia a \":exception\". Por favor, consulte el enlace GHSA para m\u00e1s detalles sobre la soluci\u00f3n."
    }
  ],
  "id": "CVE-2021-41274",
  "lastModified": "2024-11-21T06:25:56.540",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-17T20:15:10.463",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

CNVD-2021-90853

Vulnerability from cnvd - Published: 2021-11-25

Title

Solidus跨站请求伪造漏洞

Description

Solidus是一套开源的电子商务系统。 Solidus Solidus_auth_devise 中存在跨站请求伪造漏洞，该漏洞源于产品缺少CSRF验证。攻击者可通过该漏洞向服务端发送非预期的请求。

Severity

中

Patch Name

Solidus跨站请求伪造漏洞的补丁

Patch Description

Solidus是一套开源的电子商务系统。 Solidus Solidus_auth_devise 中存在跨站请求伪造漏洞，该漏洞源于产品缺少CSRF验证。攻击者可通过该漏洞向服务端发送非预期的请求。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Reference

https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555

Impacted products

Name
solidus Solidus >=1.0.0，<2.5.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41274"
    }
  },
  "description": "Solidus\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7535\u5b50\u5546\u52a1\u7cfb\u7edf\u3002\n\nSolidus Solidus_auth_devise \u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7f3a\u5c11CSRF\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u5411\u670d\u52a1\u7aef\u53d1\u9001\u975e\u9884\u671f\u7684\u8bf7\u6c42\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-90853",
  "openTime": "2021-11-25",
  "patchDescription": "Solidus\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7535\u5b50\u5546\u52a1\u7cfb\u7edf\u3002\r\n\r\nSolidus Solidus_auth_devise \u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u4ea7\u54c1\u7f3a\u5c11CSRF\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u8be5\u6f0f\u6d1e\u5411\u670d\u52a1\u7aef\u53d1\u9001\u975e\u9884\u671f\u7684\u8bf7\u6c42\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Solidus\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "solidus Solidus \u003e=1.0.0\uff0c\u003c2.5.4"
  },
  "referenceLink": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555",
  "serverity": "\u4e2d",
  "submitTime": "2021-11-22",
  "title": "Solidus\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-41274 (GCVE-0-2021-41274)

GSD-2021-41274

GHSA-XM34-V85H-9PG2

Impact

Patches

Workarounds

References

Thanks

For more information

FKIE_CVE-2021-41274

CNVD-2021-90853

Tags

Sightings

Nomenclature