CVE-2021-41275.yml

---
gem: spree_auth_devise
cve: 2021-41275
ghsa: 26xx-m4q2-xhq8
url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
title: Authentication Bypass by CSRF Weakness
date: 2021-11-18
description: |
  ### Impact

  CSRF vulnerability that allows user account takeover.

  All applications using any version of the frontend component of `spree_auth_devise`
  are affected if `protect_from_forgery` method is both:
  * Executed whether as:
    * A `before_action` callback (the default)
    * A `prepend_before_action` (option `prepend: true` given) before the
      `:load_object` hook in `Spree::UserController` (most likely order to find).
  * Configured to use ``:null_session` or ``:reset_session` strategies
    (``:null_session` is the default in case the no strategy is given, but `rails --new`
    generated skeleton use ``:exception`).

  That means that applications that haven't been configured differently from
  what is generated with Rails aren't affected.

  ### Patches

  * Spree 4.3 users should update to `spree_auth_devise` 4.4.1
  * Spree 4.2 users should update to `spree_auth_devise` 4.2.1
  * Spree 4.1 users should update to `spree_auth_devise` 4.1.1
  * Older Spree version users should update to `spree_auth_devise` 4.0.1

  ### Workarounds

  If possible, change your strategy to `:exception`:

  ```ruby
  class ApplicationController
    < ActionController::Base
    protect_from_forgery with: :exception
  end
  ```

  Add the following to `config/application.rb` to at least run the `:exception`
  strategy on the affected controller:

  ```ruby
  config.after_initialize do
    Spree::UsersController.protect_from_forgery
    with: :exception
  end
  ```
cvss_v3: 9.3
patched_versions:
  - "~> 4.0.1"
  - "~> 4.1.1"
  - "~> 4.2.1"
  - ">= 4.4.1"
related:
  ghsa:
    - xm34-v85h-9pg2
    - gpqc-4pp7-5954
    - 8xfw-5q82-3652
    - 6mqr-q86q-6gwr
  url:
    - https://github.com/spree/spree_auth_devise/commit/adf6ed4cd94d66091776b5febd4ff3767362de63