CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CSRF vulnerability that allows user account takeover.
All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery
method is both:
before_action
callback (the default)prepend_before_action
(option prepend: true
given) before the:load_object
hook in Spree::UserController
(most likely order to find).:null_session` or
:reset_session strategies (``:null_session
is the default in case the no strategy is given, but rails --new
That means that applications that haven’t been configured differently from
what is generated with Rails aren’t affected.
spree_auth_devise
4.4.1spree_auth_devise
4.2.1spree_auth_devise
4.1.1spree_auth_devise
4.0.1If possible, change your strategy to :exception
:
class ApplicationController
< ActionController::Base
protect_from_forgery with: :exception
end
Add the following to config/application.rb
to at least run the :exception
strategy on the affected controller:
config.after_initialize do
Spree::UsersController.protect_from_forgery
with: :exception
end
Vendor | Product | Version | CPE |
---|---|---|---|
ruby | spree_auth_devise | * | cpe:2.3:a:ruby:spree_auth_devise:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N