GHSA-gpqc-4pp7-5954

Suggest an improvement
Source
https://github.com/advisories/GHSA-gpqc-4pp7-5954
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-gpqc-4pp7-5954/GHSA-gpqc-4pp7-5954.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gpqc-4pp7-5954
Published
2021-11-18T20:15:35Z
Modified
2024-12-07T05:28:41.530634Z
Severity
  • 9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Authentication Bypass by CSRF Weakness
Details

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

  • Executed whether as:
    • A beforeaction callback (the default)
    • A prependbeforeaction (option prepend: true given) before the :loadobject hook in Spree::UserController (most likely order to find).
  • Configured to use :nullsession or :resetsession strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spreeauthdevise 4.4.1 Spree 4.2 users should update to spreeauthdevise 4.2.1 Spree 4.1 users should update to spreeauthdevise 4.1.1 Older Spree version users should update to spreeauthdevise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rbto at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidusauthdevise/security/advisories/GHSA-xm34-v85h-9pg2

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-17T21:45:42Z"
}
References

Affected packages

RubyGems / spree_auth_devise

Package

Name
spree_auth_devise
Purl
pkg:gem/spree_auth_devise

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.0.1

Affected versions

1.*

1.0.0
1.0.1
1.2.0
1.3.1

3.*

3.0.5
3.0.6
3.1.0
3.2.0.beta
3.2.0
3.3.0.rc1
3.3.0
3.3.1
3.3.3
3.4.0
3.4.1
3.4.2
3.5.0
3.5.1
3.5.2

4.*

4.0.0.rc1
4.0.0.rc2
4.0.0