GHSA-GPQC-4PP7-5954
Vulnerability from github – Published: 2021-11-18 20:15 – Updated: 2025-07-01 19:19
VLAI?
Summary
Duplicate Advisory: Authentication Bypass by CSRF Weakness
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-26xx-m4q2-xhq8. This link is maintained to preserve external references.
Original Description
Impact
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:
- Executed whether as:
- A before_action callback (the default)
- A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
- Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.
Thanks @waiting-for-dev for reporting and providing a patch 👏
Patches
Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1
Workarounds
If possible, change your strategy to :exception:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
Add the following toconfig/application.rbto at least run the :exception strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery with: :exception
end
References
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Severity ?
9.3 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree_auth_devise"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-17T21:45:42Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-26xx-m4q2-xhq8. This link is maintained to preserve external references.\n\n## Original Description\n\n### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n * A before_action callback (the default)\n * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).\n* Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).\n\nThat means that applications that haven\u0027t been configured differently from what it\u0027s generated with Rails aren\u0027t affected.\n\nThanks @waiting-for-dev for reporting and providing a patch \ud83d\udc4f \n\n### Patches\n\nSpree 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update to spree_auth_devise 4.2.1\nSpree 4.1 users should update to spree_auth_devise 4.1.1\nOlder Spree version users should update to spree_auth_devise 4.0.1\n \n### Workarounds\n\nIf possible, change your strategy to :exception:\n\n```ruby\nclass ApplicationController \u003c ActionController::Base\n protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize do\n Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2",
"id": "GHSA-gpqc-4pp7-5954",
"modified": "2025-07-01T19:19:56Z",
"published": "2021-11-18T20:15:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"
},
{
"type": "WEB",
"url": "https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/spree/spree_auth_devise"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Duplicate Advisory: Authentication Bypass by CSRF Weakness",
"withdrawn": "2025-07-01T19:19:56Z"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…