CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of solidus_auth_devise
are affected if protect_from_forgery
method is both:
before_action
callback (the default)prepend_before_action
(option prepend: true
given) before the:load_object
hook in Spree::UserController
(most likely order to find).:null_session
or :reset_session
strategies:null_session
is the default in case the no strategy is given, butrails --new
generated skeleton use :exception
).That means that applications that haven’t been configured differently from
what it’s generated with Rails aren’t affected.
Users should promptly update to solidus_auth_devise
version 2.5.4
.
A couple of options:
If possible, change your strategy to :exception
:
class ApplicationController < ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb
to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery
with: :exception
end
We’ve also released new Solidus versions monkey patching solidus_auth_devise
with the quick fix. Those versions are v3.1.3
, v.3.0.3
& v2.11.12
. See
GHSA-5629-8855-gf4g
for details.
Vendor | Product | Version | CPE |
---|---|---|---|
ruby | solidus_auth_devise | * | cpe:2.3:a:ruby:solidus_auth_devise:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N