Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2021-41274
HistoryNov 17, 2021 - 8:15 p.m.

CVE-2021-41274

2021-11-1720:15:10
CWE-352
[email protected]
web.nvd.nist.gov
42
solidus_auth_devise
csrf
vulnerability
account takeover
authentication
webstore
framework
devise gem
cve-2021-41274

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.0%

JSON

solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of solidus_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default) or A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users should promptly update to solidus_auth_devise version 2.5.4. Users unable to update should if possible, change their strategy to :exception. Please see the linked GHSA for more workaround details.

Affected configurations

Vulners
NVD
Node
solidusiosolidus_auth_deviseRange1.0.02.5.4

CNA Affected

[
  {
    "product": "solidus_auth_devise",
    "vendor": "solidusio",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.0.0, < 2.5.4"
      }
    ]
  }
]

Related

osv 2
github 1
veracode 1
cnvd 1
nvd 1
prion 1
cvelist 1
osv
osv
Authentication Bypass by CSRF Weakness
2021-11-18 20:09:32
CVE-2021-41274
2021-11-17 20:15:10
github
github
Authentication Bypass by CSRF Weakness
2021-11-18 20:09:32
veracode
veracode
Authentication Bypass
2021-11-18 04:29:28
cnvd
cnvd
Solidus Cross-Site Request Forgery Vulnerability
2021-11-22 00:00:00
nvd
nvd
CVE-2021-41274
2021-11-17 20:15:10
prion
prion
Cross site request forgery (csrf)
2021-11-17 20:15:00
cvelist
cvelist
CVE-2021-41274 Authentication Bypass by CSRF Weakness
2021-11-17 19:55:11

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.0%

JSON
Related for CVE-2021-41274
osv2github1veracode1cnvd1nvd1prion1cvelist1