cvelistv5 - cve-2021-41275

CVE-2021-41275 (GCVE-0-2021-41275)

Vulnerability from cvelistv5 – Published: 2021-11-17 19:50 – Updated: 2024-08-04 03:08

Summary

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch �� ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Severity ?

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/spree/spree_auth_devise/securi…	x_refsource_CONFIRM
	https://github.com/spree/spree_auth_devise/commit…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	spree	spree_auth_devise	Affected: >= 4.3.0, < 4.4.1 Affected: >= 4.2.0, < 4.2.1 Affected: >= 4.1.0, < 4.1.1 Affected: < 4.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.652Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "spree_auth_devise",
          "vendor": "spree",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.3.0, \u003c 4.4.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.2.0, \u003c 4.2.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.1.0, \u003c 4.1.1"
            },
            {
              "status": "affected",
              "version": "\u003c 4.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ufffd\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-17T19:50:11",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
        }
      ],
      "source": {
        "advisory": "GHSA-26xx-m4q2-xhq8",
        "discovery": "UNKNOWN"
      },
      "title": "Authentication Bypass by CSRF Weakness",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41275",
          "STATE": "PUBLIC",
          "TITLE": "Authentication Bypass by CSRF Weakness"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "spree_auth_devise",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003e= 4.3.0, \u003c 4.4.1"
                          },
                          {
                            "version_value": "\u003e= 4.2.0, \u003c 4.2.1"
                          },
                          {
                            "version_value": "\u003e= 4.1.0, \u003c 4.1.1"
                          },
                          {
                            "version_value": "\u003c 4.0.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "spree"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ufffd\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8",
              "refsource": "CONFIRM",
              "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
            },
            {
              "name": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63",
              "refsource": "MISC",
              "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-26xx-m4q2-xhq8",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41275",
    "datePublished": "2021-11-17T19:50:11",
    "dateReserved": "2021-09-15T00:00:00",
    "dateUpdated": "2024-08-04T03:08:31.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*\", \"versionEndIncluding\": \"4.0.1\", \"matchCriteriaId\": \"1B29C2AC-BE4D-4BA9-9EE6-F10E3DB02F3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"4.3.0\", \"versionEndExcluding\": \"4.4.1\", \"matchCriteriaId\": \"1779B068-94FF-47BC-8A5D-FF423AC1DEF4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:-:*:*:*:ruby:*:*\", \"matchCriteriaId\": \"D26C42FF-BA82-45FC-994A-383C5C1E5E81\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:rc1:*:*:*:ruby:*:*\", \"matchCriteriaId\": \"6D1DB81F-F324-48AE-9641-4862AB5F2304\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:spreecommerce:spree_auth_devise:4.2.0:*:*:*:*:ruby:*:*\", \"matchCriteriaId\": \"F6936681-9A4A-4876-B918-4D9585CF6B3A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \\ufffd\\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\"}, {\"lang\": \"es\", \"value\": \"spree_auth_devise es una librer\\u00eda de c\\u00f3digo abierto que proporciona servicios de autenticaci\\u00f3n y autorizaci\\u00f3n para su uso con el marco de trabajo de la tienda Spree mediante el uso de un marco de trabajo de autenticaci\\u00f3n Devise subyacente. En las versiones afectadas, spree_auth_devise est\\u00e1 sujeto a una vulnerabilidad CSRF que permite la toma de posesi\\u00f3n de cuentas de usuario. Todas las aplicaciones que utilizan cualquier versi\\u00f3n del componente frontend de spree_auth_devise est\\u00e1n afectadas si el m\\u00e9todo protect_from_forgery es ambos: Se ejecuta como: Un callback before_action (el predeterminado). Un prepend_before_action (opci\\u00f3n prepend: true dada) antes del hook :load_object en Spree::UserController (orden m\\u00e1s probable de encontrar). Configurado para utilizar las estrategias :null_session o :reset_session (:null_session es la predeterminada en caso de que no se d\\u00e9 ninguna estrategia, pero los ra\\u00edles --nuevo esqueleto generado utilizan :exception). Se recomienda a los usuarios que actualicen su gema spree_auth_devise. Para los usuarios que no puedan actualizar, puede ser posible cambiar su estrategia a :exception. Por favor, consulte el GHSA vinculado para m\\u00e1s detalles de la soluci\\u00f3n. ### Impacto Vulnerabilidad CSRF que permite la toma de cuenta del usuario. Todas las aplicaciones que utilizan cualquier versi\\u00f3n del componente frontend de `spree_auth_devise` est\\u00e1n afectadas si el m\\u00e9todo `protect_from_forgery` es a la vez: * Se ejecuta ya sea como: * Un callback before_action (el predeterminado) * Un prepend_before_action (opci\\u00f3n prepend: true dada) antes del hook :load_object en Spree::UserController (orden m\\u00e1s probable de encontrar). * Configurado para usar las estrategias :null_session o :reset_session (:null_session es la predeterminada en caso de que no se d\\u00e9 ninguna estrategia, pero el esqueleto generado por rails --new usa :exception). Eso significa que las aplicaciones que no han sido configuradas de forma diferente a la generada con Rails no se ven afectadas. Gracias @waiting-for-dev por informar y proporcionar un parche ? ### Parches Los usuarios de Spree 4.3 deben actualizar a spree_auth_devise 4.4.1 Los usuarios de Spree 4.2 deben actualizar a spree_auth_devise 4.2.1 ### Soluciones Si es posible, cambia tu estrategia a :exception: ```ruby class ApplicationController \u0026lt; ActionController::Base protect_from_forgery with: :exception end ``` A\\u00f1ade lo siguiente a `config/application. rb ``para ejecutar al menos la estrategia `:exception` en el controlador afectado: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### Referencias https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\"}]",
      "id": "CVE-2021-41275",
      "lastModified": "2024-11-21T06:25:56.670",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.8}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-11-17T20:15:10.527",
      "references": "[{\"url\": \"https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-41275\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-11-17T20:15:10.527\",\"lastModified\":\"2024-11-21T06:25:56.670\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ufffd\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\"},{\"lang\":\"es\",\"value\":\"spree_auth_devise es una librer\u00eda de c\u00f3digo abierto que proporciona servicios de autenticaci\u00f3n y autorizaci\u00f3n para su uso con el marco de trabajo de la tienda Spree mediante el uso de un marco de trabajo de autenticaci\u00f3n Devise subyacente. En las versiones afectadas, spree_auth_devise est\u00e1 sujeto a una vulnerabilidad CSRF que permite la toma de posesi\u00f3n de cuentas de usuario. Todas las aplicaciones que utilizan cualquier versi\u00f3n del componente frontend de spree_auth_devise est\u00e1n afectadas si el m\u00e9todo protect_from_forgery es ambos: Se ejecuta como: Un callback before_action (el predeterminado). Un prepend_before_action (opci\u00f3n prepend: true dada) antes del hook :load_object en Spree::UserController (orden m\u00e1s probable de encontrar). Configurado para utilizar las estrategias :null_session o :reset_session (:null_session es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero los ra\u00edles --nuevo esqueleto generado utilizan :exception). Se recomienda a los usuarios que actualicen su gema spree_auth_devise. Para los usuarios que no puedan actualizar, puede ser posible cambiar su estrategia a :exception. Por favor, consulte el GHSA vinculado para m\u00e1s detalles de la soluci\u00f3n. ### Impacto Vulnerabilidad CSRF que permite la toma de cuenta del usuario. Todas las aplicaciones que utilizan cualquier versi\u00f3n del componente frontend de `spree_auth_devise` est\u00e1n afectadas si el m\u00e9todo `protect_from_forgery` es a la vez: * Se ejecuta ya sea como: * Un callback before_action (el predeterminado) * Un prepend_before_action (opci\u00f3n prepend: true dada) antes del hook :load_object en Spree::UserController (orden m\u00e1s probable de encontrar). * Configurado para usar las estrategias :null_session o :reset_session (:null_session es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero el esqueleto generado por rails --new usa :exception). Eso significa que las aplicaciones que no han sido configuradas de forma diferente a la generada con Rails no se ven afectadas. Gracias @waiting-for-dev por informar y proporcionar un parche ? ### Parches Los usuarios de Spree 4.3 deben actualizar a spree_auth_devise 4.4.1 Los usuarios de Spree 4.2 deben actualizar a spree_auth_devise 4.2.1 ### Soluciones Si es posible, cambia tu estrategia a :exception: ```ruby class ApplicationController \u0026lt; ActionController::Base protect_from_forgery with: :exception end ``` A\u00f1ade lo siguiente a `config/application. rb ``para ejecutar al menos la estrategia `:exception` en el controlador afectado: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### Referencias https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*\",\"versionEndIncluding\":\"4.0.1\",\"matchCriteriaId\":\"1B29C2AC-BE4D-4BA9-9EE6-F10E3DB02F3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"4.3.0\",\"versionEndExcluding\":\"4.4.1\",\"matchCriteriaId\":\"1779B068-94FF-47BC-8A5D-FF423AC1DEF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:-:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"D26C42FF-BA82-45FC-994A-383C5C1E5E81\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:rc1:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"6D1DB81F-F324-48AE-9641-4862AB5F2304\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:spreecommerce:spree_auth_devise:4.2.0:*:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"F6936681-9A4A-4876-B918-4D9585CF6B3A\"}]}]}],\"references\":[{\"url\":\"https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2021-41275

Vulnerability from fkie_nvd - Published: 2021-11-17 20:15 - Updated: 2024-11-21 06:25

Severity ?

9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8	Third Party Advisory

Impacted products

Vendor	Product	Version
spreecommerce	spree_auth_devise	*
spreecommerce	spree_auth_devise	*
spreecommerce	spree_auth_devise	4.1.0
spreecommerce	spree_auth_devise	4.1.0
spreecommerce	spree_auth_devise	4.2.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "1B29C2AC-BE4D-4BA9-9EE6-F10E3DB02F3A",
              "versionEndIncluding": "4.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "1779B068-94FF-47BC-8A5D-FF423AC1DEF4",
              "versionEndExcluding": "4.4.1",
              "versionStartIncluding": "4.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:-:*:*:*:ruby:*:*",
              "matchCriteriaId": "D26C42FF-BA82-45FC-994A-383C5C1E5E81",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:rc1:*:*:*:ruby:*:*",
              "matchCriteriaId": "6D1DB81F-F324-48AE-9641-4862AB5F2304",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:spreecommerce:spree_auth_devise:4.2.0:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "F6936681-9A4A-4876-B918-4D9585CF6B3A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ufffd\ufffd ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    {
      "lang": "es",
      "value": "spree_auth_devise es una librer\u00eda de c\u00f3digo abierto que proporciona servicios de autenticaci\u00f3n y autorizaci\u00f3n para su uso con el marco de trabajo de la tienda Spree mediante el uso de un marco de trabajo de autenticaci\u00f3n Devise subyacente. En las versiones afectadas, spree_auth_devise est\u00e1 sujeto a una vulnerabilidad CSRF que permite la toma de posesi\u00f3n de cuentas de usuario. Todas las aplicaciones que utilizan cualquier versi\u00f3n del componente frontend de spree_auth_devise est\u00e1n afectadas si el m\u00e9todo protect_from_forgery es ambos: Se ejecuta como: Un callback before_action (el predeterminado). Un prepend_before_action (opci\u00f3n prepend: true dada) antes del hook :load_object en Spree::UserController (orden m\u00e1s probable de encontrar). Configurado para utilizar las estrategias :null_session o :reset_session (:null_session es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero los ra\u00edles --nuevo esqueleto generado utilizan :exception). Se recomienda a los usuarios que actualicen su gema spree_auth_devise. Para los usuarios que no puedan actualizar, puede ser posible cambiar su estrategia a :exception. Por favor, consulte el GHSA vinculado para m\u00e1s detalles de la soluci\u00f3n. ### Impacto Vulnerabilidad CSRF que permite la toma de cuenta del usuario. Todas las aplicaciones que utilizan cualquier versi\u00f3n del componente frontend de `spree_auth_devise` est\u00e1n afectadas si el m\u00e9todo `protect_from_forgery` es a la vez: * Se ejecuta ya sea como: * Un callback before_action (el predeterminado) * Un prepend_before_action (opci\u00f3n prepend: true dada) antes del hook :load_object en Spree::UserController (orden m\u00e1s probable de encontrar). * Configurado para usar las estrategias :null_session o :reset_session (:null_session es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero el esqueleto generado por rails --new usa :exception). Eso significa que las aplicaciones que no han sido configuradas de forma diferente a la generada con Rails no se ven afectadas. Gracias @waiting-for-dev por informar y proporcionar un parche ? ### Parches Los usuarios de Spree 4.3 deben actualizar a spree_auth_devise 4.4.1 Los usuarios de Spree 4.2 deben actualizar a spree_auth_devise 4.2.1 ### Soluciones Si es posible, cambia tu estrategia a :exception: ```ruby class ApplicationController \u0026lt; ActionController::Base protect_from_forgery with: :exception end ``` A\u00f1ade lo siguiente a `config/application. rb ``para ejecutar al menos la estrategia `:exception` en el controlador afectado: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### Referencias https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    }
  ],
  "id": "CVE-2021-41275",
  "lastModified": "2024-11-21T06:25:56.670",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-17T20:15:10.527",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2021-41275

Vulnerability from gsd - Updated: 2021-11-18 00:00

Details

### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A `before_action` callback (the default) * A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). * Configured to use ``:null_session` or ``:reset_session` strategies (``:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use ``:exception`). That means that applications that haven't been configured differently from what is generated with Rails aren't affected. ### Patches * Spree 4.3 users should update to `spree_auth_devise` 4.4.1 * Spree 4.2 users should update to `spree_auth_devise` 4.2.1 * Spree 4.1 users should update to `spree_auth_devise` 4.1.1 * Older Spree version users should update to `spree_auth_devise` 4.0.1 ### Workarounds If possible, change your strategy to `:exception`: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` Add the following to `config/application.rb` to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ```

Aliases

CVE-2021-41275

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41275",
    "description": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ud83d\udc4f ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
    "id": "GSD-2021-41275"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "spree_auth_devise",
            "purl": "pkg:gem/spree_auth_devise"
          }
        }
      ],
      "aliases": [
        "CVE-2021-41275",
        "GHSA-26xx-m4q2-xhq8"
      ],
      "details": "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise`\nare affected if `protect_from_forgery` method is both:\n* Executed whether as:\n  * A `before_action` callback (the default)\n  * A `prepend_before_action` (option `prepend: true` given) before the\n    `:load_object` hook in `Spree::UserController` (most likely order to find).\n* Configured to use ``:null_session` or ``:reset_session` strategies\n  (``:null_session` is the default in case the no strategy is given, but `rails --new`\n  generated skeleton use ``:exception`).\n\nThat means that applications that haven\u0027t been configured differently from\nwhat is generated with Rails aren\u0027t affected.\n\n### Patches\n\n* Spree 4.3 users should update to `spree_auth_devise` 4.4.1\n* Spree 4.2 users should update to `spree_auth_devise` 4.2.1\n* Spree 4.1 users should update to `spree_auth_devise` 4.1.1\n* Older Spree version users should update to `spree_auth_devise` 4.0.1\n\n### Workarounds\n\nIf possible, change your strategy to `:exception`:\n\n```ruby\nclass ApplicationController\n  \u003c ActionController::Base\n  protect_from_forgery with: :exception\nend\n```\n\nAdd the following to `config/application.rb` to at least run the `:exception`\nstrategy on the affected controller:\n\n```ruby\nconfig.after_initialize do\n  Spree::UsersController.protect_from_forgery\n  with: :exception\nend\n```\n",
      "id": "GSD-2021-41275",
      "modified": "2021-11-18T00:00:00.000Z",
      "published": "2021-11-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
        },
        {
          "type": "WEB",
          "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
        }
      ],
      "related": [
        "GHSA-xm34-v85h-9pg2",
        "GHSA-gpqc-4pp7-5954",
        "GHSA-8xfw-5q82-3652",
        "GHSA-6mqr-q86q-6gwr"
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 9.3,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Authentication Bypass by CSRF Weakness"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41275",
        "STATE": "PUBLIC",
        "TITLE": "Authentication Bypass by CSRF Weakness"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "spree_auth_devise",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 4.3.0, \u003c 4.4.1"
                        },
                        {
                          "version_value": "\u003e= 4.2.0, \u003c 4.2.1"
                        },
                        {
                          "version_value": "\u003e= 4.1.0, \u003c 4.1.1"
                        },
                        {
                          "version_value": "\u003c 4.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "spree"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch \ud83d\udc4f ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8",
            "refsource": "CONFIRM",
            "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
          },
          {
            "name": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63",
            "refsource": "MISC",
            "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-26xx-m4q2-xhq8",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-41275",
      "cvss_v3": 9.3,
      "date": "2021-11-18",
      "description": "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise`\nare affected if `protect_from_forgery` method is both:\n* Executed whether as:\n  * A `before_action` callback (the default)\n  * A `prepend_before_action` (option `prepend: true` given) before the\n    `:load_object` hook in `Spree::UserController` (most likely order to find).\n* Configured to use ``:null_session` or ``:reset_session` strategies\n  (``:null_session` is the default in case the no strategy is given, but `rails --new`\n  generated skeleton use ``:exception`).\n\nThat means that applications that haven\u0027t been configured differently from\nwhat is generated with Rails aren\u0027t affected.\n\n### Patches\n\n* Spree 4.3 users should update to `spree_auth_devise` 4.4.1\n* Spree 4.2 users should update to `spree_auth_devise` 4.2.1\n* Spree 4.1 users should update to `spree_auth_devise` 4.1.1\n* Older Spree version users should update to `spree_auth_devise` 4.0.1\n\n### Workarounds\n\nIf possible, change your strategy to `:exception`:\n\n```ruby\nclass ApplicationController\n  \u003c ActionController::Base\n  protect_from_forgery with: :exception\nend\n```\n\nAdd the following to `config/application.rb` to at least run the `:exception`\nstrategy on the affected controller:\n\n```ruby\nconfig.after_initialize do\n  Spree::UsersController.protect_from_forgery\n  with: :exception\nend\n```\n",
      "gem": "spree_auth_devise",
      "ghsa": "26xx-m4q2-xhq8",
      "patched_versions": [
        "~\u003e 4.0.1",
        "~\u003e 4.1.1",
        "~\u003e 4.2.1",
        "\u003e= 4.4.1"
      ],
      "related": {
        "ghsa": [
          "xm34-v85h-9pg2",
          "gpqc-4pp7-5954",
          "8xfw-5q82-3652",
          "6mqr-q86q-6gwr"
        ],
        "url": [
          "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
        ]
      },
      "title": "Authentication Bypass by CSRF Weakness",
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=4.0.1||\u003e=4.1.0 \u003c=4.4.1",
          "affected_versions": "All versions up to 4.0.1, all versions starting from 4.1.0 up to 4.4.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2023-03-01",
          "description": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework.* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).",
          "fixed_versions": [
            "4.1.0.rc1",
            "4.4.2"
          ],
          "identifier": "CVE-2021-41275",
          "identifiers": [
            "CVE-2021-41275",
            "GHSA-26xx-m4q2-xhq8"
          ],
          "not_impacted": "All versions after 4.0.1 before 4.1.0, all versions after 4.4.1",
          "package_slug": "gem/spree_auth_devise",
          "pubdate": "2021-11-17",
          "solution": "Upgrade to versions 4.1.0.rc1, 4.4.2 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41275",
            "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63",
            "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
          ],
          "uuid": "7580dc36-c854-4365-85d2-15d4ee7af385"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.4.1",
                "versionStartIncluding": "4.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:spreecommerce:spree_auth_devise:4.2.0:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:rc1:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndIncluding": "4.0.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:-:*:*:*:ruby:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41275"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected. Thanks @waiting-for-dev for reporting and providing a patch ? ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController \u003c ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
            },
            {
              "name": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-03-01T18:58Z",
      "publishedDate": "2021-11-17T20:15Z"
    }
  }
}

GHSA-26XX-M4Q2-XHQ8

Vulnerability from github – Published: 2021-11-18 20:14 – Updated: 2025-07-01 17:28

Summary

Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness

Details

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

Executed whether as:
A before_action callback (the default)
A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rbto at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Severity ?

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2.0"
            },
            {
              "fixed": "4.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "spree_auth_devise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T21:07:45Z",
    "nvd_published_at": "2021-11-17T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n  * A before_action callback (the default)\n  * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).\n* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).\n\nThat means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected.\n\nThanks @waiting-for-dev for reporting and providing a patch \ud83d\udc4f \n\n### Patches\n\nSpree 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update to spree_auth_devise 4.2.1\nSpree 4.1 users should update to spree_auth_devise 4.1.1\nOlder Spree version users should update to spree_auth_devise 4.0.1\n \n### Workarounds\n\nIf possible, change your strategy to :exception:\n\n```ruby\nclass ApplicationController \u003c ActionController::Base\n  protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize do\n  Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
  "id": "GHSA-26xx-m4q2-xhq8",
  "modified": "2025-07-01T17:28:05Z",
  "published": "2021-11-18T20:14:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41275"
    },
    {
      "type": "WEB",
      "url": "https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/spree/spree_auth_devise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Spree Auth Devise vulnerability allows for authentication bypass through CSRF weakness"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-41275 (GCVE-0-2021-41275)

FKIE_CVE-2021-41275

GSD-2021-41275

GHSA-26XX-M4Q2-XHQ8

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature