CVE-2021-41275

Published on: Not Yet Published

Last Modified on: 11/24/2021 04:50:00 AM UTC

CVE-2021-41275 - advisory for GHSA-26xx-m4q2-xhq8

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Certain versions of Spree Auth Devise from Spreecommerce contain the following vulnerability:

spree_auth_devise is an open source library which provides authentication and authorization services for use with the Spree storefront framework by using an underlying Devise authentication framework. In affected versions spree_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both: Executed whether as: A before_action callback (the default). A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). Users are advised to update their spree_auth_devise gem. For users unable to update it may be possible to change your strategy to :exception. Please see the linked GHSA for more workaround details. ### Impact CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `spree_auth_devise` are affected if `protect_from_forgery` method is both: * Executed whether as: * A before_action callback (the default) * A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find). * Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception). That means that applications that haven't been configured differently from what it's generated with Rails aren't affected. Thanks @waiting-for-dev for reporting and providing a patch ???? ### Patches Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 ### Workarounds If possible, change your strategy to :exception: ```ruby class ApplicationController < ActionController::Base protect_from_forgery with: :exception end ``` Add the following to`config/application.rb `to at least run the `:exception` strategy on the affected controller: ```ruby config.after_initialize do Spree::UsersController.protect_from_forgery with: :exception end ``` ### References https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

  • CVE-2021-41275 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo spree - spree_auth_devise version >= 4.3.0, < 4.4.1
  • Affected Vendor/Software: URL Logo spree - spree_auth_devise version >= 4.2.0, < 4.2.1
  • Affected Vendor/Software: URL Logo spree - spree_auth_devise version >= 4.1.0, < 4.1.1
  • Affected Vendor/Software: URL Logo spree - spree_auth_devise version < 4.0.1

CVSS3 Score: 8.8 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE REQUIRED
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 6.8 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
[PATCH] Fix account takeover through CSRF attack · spree/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63
Authentication Bypass by CSRF Weakness · Advisory · spree/spree_auth_devise · GitHub github.com
text/html
URL Logo CONFIRM github.com/spree/spree_auth_devise/security/advisories/GHSA-26xx-m4q2-xhq8

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationSpreecommerceSpree Auth DeviseAllAllAllAll
ApplicationSpreecommerceSpree Auth Devise4.1.0-AllAll
ApplicationSpreecommerceSpree Auth Devise4.1.0rc1AllAll
ApplicationSpreecommerceSpree Auth Devise4.2.0AllAllAll
ApplicationSpreecommerceSpree Auth DeviseAllAllAllAll
  • cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*:
  • cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:-:*:*:*:ruby:*:*:
  • cpe:2.3:a:spreecommerce:spree_auth_devise:4.1.0:rc1:*:*:*:ruby:*:*:
  • cpe:2.3:a:spreecommerce:spree_auth_devise:4.2.0:*:*:*:*:ruby:*:*:
  • cpe:2.3:a:spreecommerce:spree_auth_devise:*:*:*:*:*:ruby:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-41275 : spree_auth_devise is an open source library which provides authentication and authorization servic… twitter.com/i/web/status/1… 2021-11-17 19:52:32
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report