Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:SPREE_AUTH_DEVISE-2021-41275
HistoryNov 17, 2021 - 9:00 p.m.

Authentication Bypass by CSRF Weakness

2021-11-1721:00:00
RubySec
rubysec.com
8
csrf weakness
spree_auth_devise
authentication bypass
account takeover
protect_from_forgery
strategy
patch
workaround
rails configuration

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

JSON

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery method is both:

  • Executed whether as:
    • A before_action callback (the default)
    • A prepend_before_action (option prepend: true given) before the
      :load_object hook in Spree::UserController (most likely order to find).
  • Configured to use :null_session` or :reset_session strategies (``:null_session is the default in case the no strategy is given, but rails --new
    generated skeleton use ``:exception`).

That means that applications that haven’t been configured differently from
what is generated with Rails aren’t affected.

Patches

  • Spree 4.3 users should update to spree_auth_devise 4.4.1
  • Spree 4.2 users should update to spree_auth_devise 4.2.1
  • Spree 4.1 users should update to spree_auth_devise 4.1.1
  • Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController
  < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following to config/application.rb to at least run the :exception
strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery
  with: :exception
end

Affected configurations

Vulners
Node
rubyspree_auth_deviseRange4.0.04.1.0
OR
rubyspree_auth_deviseRange4.1.04.2.0
OR
rubyspree_auth_deviseRange4.2.04.3.0
OR
rubyspree_auth_deviseRange<4.4.1
VendorProductVersionCPE
rubyspree_auth_devise*cpe:2.3:a:ruby:spree_auth_devise:*:*:*:*:*:*:*:*

Related

nvd 1
github 1
prion 1
veracode 1
osv 5
cvelist 1
cve 1
nvd
nvd
CVE-2021-41275
2021-11-17 20:15:10
github
github
Authentication Bypass by CSRF Weakness
2021-11-18 20:14:19
prion
prion
Cross site request forgery (csrf)
2021-11-17 20:15:00
veracode
veracode
Authentication Bypass
2021-11-18 05:01:03
osv
osv
Authentication Bypass by CSRF Weakness
2021-11-18 20:15:35
Authentication Bypass by CSRF Weakness
2021-11-18 20:14:19
Authentication Bypass by CSRF Weakness
2021-11-18 20:15:09
cvelist
cvelist
CVE-2021-41275 Authentication Bypass by CSRF Weakness
2021-11-17 19:50:11
cve
cve
CVE-2021-41275
2021-11-17 20:15:10

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

JSON
Related for RUBY:SPREE_AUTH_DEVISE-2021-41275
nvd1github1prion1veracode1osv5cvelist1cve1