GHSA-XM34-V85H-9PG2

Vulnerability from github – Published: 2021-11-18 20:09 – Updated: 2021-11-17 19:57
VLAI?
Summary
Authentication Bypass by CSRF Weakness
Details

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of solidus_auth_devise are affected if protect_from_forgery method is both: - Executed whether as: - A before_action callback (the default) - A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). - Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Patches

Users should promptly update to solidus_auth_devise version 2.5.4.

Workarounds

A couple of options:

  • If possible, change your strategy to :exception: ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end

  • Add the following to config/application.rb to at least run the :exception strategy on the affected controller: ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end

  • We've also released new Solidus versions monkey patching solidus_auth_devise with the quick fix. Those versions are v3.1.3, v.3.0.3 & v2.11.12. See GHSA-5629-8855-gf4g for details.

References

Thanks

We'd like to thank vampire000 for reporting this issue.

For more information

If you have any questions or comments about this advisory: * Open an issue in solidus_auth_devise or a discussion in solidus * Email us at security@solidus.io * Contact the core team on Slack

Severity ?
9.3 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "solidus_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "2.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41274"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T19:57:48Z",
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of  `solidus_auth_devise` are affected if `protect_from_forgery` method is both: \n- Executed whether as:\n  - A `before_action` callback (the default)\n  - A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find).\n- Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`).\n\nThat means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected.\n\n### Patches\nUsers should promptly update to `solidus_auth_devise` version `2.5.4`.\n\n### Workarounds\nA couple of options:\n\n- If possible, change your strategy to `:exception`:\n  ```ruby\n  class ApplicationController \u003c ActionController::Base\n    protect_from_forgery with: :exception\n  end\n  ```\n\n- Add the following to `config/application.rb` to at least run the `:exception` strategy on the affected controller:\n  ```ruby\n  config.after_initialize do\n    Spree::UsersController.protect_from_forgery with: :exception\n  end\n  ```\n\n- We\u0027ve also released new Solidus versions monkey patching `solidus_auth_devise` with the quick fix. Those versions are `v3.1.3`, `v.3.0.3` \u0026 `v2.11.12`. See [GHSA-5629-8855-gf4g](https://github.com/solidusio/solidus/security/advisories/GHSA-5629-8855-gf4g) for details.\n\n### References\n- [CSRF on the Rails guides](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)\n- [Solidus security](https://solidus.io/security/)\n\n### Thanks\nWe\u0027d like to thank [vampire000](https://hackerone.com/vampire000) for reporting this issue.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions)\n* Email us at [security@solidus.io](mailto:security@soliidus.io)\n* Contact the core team on [Slack](http://slack.solidus.io/)\n",
  "id": "GHSA-xm34-v85h-9pg2",
  "modified": "2021-11-17T19:57:48Z",
  "published": "2021-11-18T20:09:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41274"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_auth_devise/CVE-2021-41274.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/solidusio/solidus_auth_devise"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/releases/tag/v2.5.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Authentication Bypass by CSRF Weakness"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.