CVE-2021-41274 - OpenCVE

Vendors	Products
Nebulab	Solidus Auth Devise

Link	Providers
https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

{"containers": {"cna": {"affected": [{"product": "solidus_auth_devise", "vendor": "solidusio", "versions": [{"status": "affected", "version": ">= 1.0.0, < 2.5.4"}]}], "descriptions": [{"lang": "en", "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-17T19:55:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"}], "source": {"advisory": "GHSA-xm34-v85h-9pg2", "discovery": "UNKNOWN"}, "title": "Authentication Bypass by CSRF Weakness", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41274", "STATE": "PUBLIC", "TITLE": "Authentication Bypass by CSRF Weakness"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "solidus_auth_devise", "version": {"version_data": [{"version_value": ">= 1.0.0, < 2.5.4"}]}}]}, "vendor_name": "solidusio"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2", "refsource": "CONFIRM", "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"}, {"name": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555", "refsource": "MISC", "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"}]}, "source": {"advisory": "GHSA-xm34-v85h-9pg2", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.696Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41274", "datePublished": "2021-11-17T19:55:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.696Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nebulab:solidus_auth_devise:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "CADA35C1-B317-4F1A-9486-410440DC1063", "versionEndExcluding": "2.5.4", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details."}, {"lang": "es", "value": "solidus_auth_devise proporciona servicios de autenticaci\u00f3n para el framework Solidus webstore, usando la gema Devise. En las versiones afectadas, solidus_auth_devise est\u00e1 sujeto a una vulnerabilidad de tipo CSRF que permite la toma de posesi\u00f3n de cuentas de usuario. Todas las aplicaciones que usan cualquier versi\u00f3n del componente frontend de \"solidus_auth_devise\" est\u00e1n afectadas si el m\u00e9todo \"protect_from_forgery\" es ambos: Se ejecuta como: Una devoluci\u00f3n de llamada \"before_action\" (la predeterminada) o Una \"prepend_before_action\" (opci\u00f3n \"prepend: true\" dada) antes del hook \":load_object\" en \"Spree::UserController\" (orden m\u00e1s probable de encontrar). Configurado para usar las estrategias \":null_session\" o \":reset_session\" (\":null_session\" es la predeterminada en caso de que no se d\u00e9 ninguna estrategia, pero el esqueleto generado por \"rails --new\" usa \":exception\"). Los usuarios deber\u00edan actualizar r\u00e1pidamente a la versi\u00f3n \"solidus_auth_devise\" \"2.5.4\". Los usuarios que no puedan actualizar deber\u00edan, si es posible, cambiar su estrategia a \":exception\". Por favor, consulte el enlace GHSA para m\u00e1s detalles sobre la soluci\u00f3n."}], "id": "CVE-2021-41274", "lastModified": "2021-11-24T04:48:51.327", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-11-17T20:15:10.463", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object