GHSA-26XX-M4Q2-XHQ8

Vulnerability from github – Published: 2021-11-18 20:14 – Updated: 2025-07-01 17:28
VLAI?
Summary
Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness
Details

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

  • Executed whether as:
  • A before_action callback (the default)
  • A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rbto at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Severity ?
9.3 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T21:07:45Z",
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n  * A before_action callback (the default)\n  * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).\n* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).\n\nThat means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected.\n\nThanks @waiting-for-dev for reporting and providing a patch \ud83d\udc4f \n\n### Patches\n\nSpree 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update to spree_auth_devise 4.2.1\nSpree 4.1 users should update to spree_auth_devise 4.1.1\nOlder Spree version users should update to spree_auth_devise 4.0.1\n \n### Workarounds\n\nIf possible, change your strategy to :exception:\n\n```ruby\nclass ApplicationController \u003c ActionController::Base\n  protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize do\n  Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
  "id": "GHSA-26xx-m4q2-xhq8",
  "modified": "2025-07-01T17:28:05Z",
  "published": "2021-11-18T20:14:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spree/spree_auth_devise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.