CVE-2021-41274 : solidus_auth_devise provides authentication services for the Solidus webstore fr

solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.

Published 2021-11-17 20:15:10

Updated 2021-11-24 04:48:51

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Products affected by CVE-2021-41274

Nebulab » Solidus Auth Devise » For Ruby
Versions from including (>=) 1.0.0 and before (<) 2.5.4
cpe:2.3:a:nebulab:solidus_auth_devise:*:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-41274

EPSS FAQ

0.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 25 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-41274

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.3	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N	2.8	5.8	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2021-41274

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-41274

https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Authentication Bypass by CSRF Weakness · Advisory · solidusio/solidus_auth_devise · GitHub
Exploit;Third Party Advisory
https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555

Merge pull request from GHSA-xm34-v85h-9pg2 · solidusio/solidus_auth_devise@731a664 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-41274

Products affected by CVE-2021-41274

Exploit prediction scoring system (EPSS) score for CVE-2021-41274

CVSS scores for CVE-2021-41274

CWE ids for CVE-2021-41274

References for CVE-2021-41274