Vulnerability Details CVE-2021-41274
solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 29.5%
CVSS Severity
CVSS v3 Score 9.3
CVSS v2 Score 6.8
References
- https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555
- https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
- https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ec53c6976c048a0555
- https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2
Products affected by CVE-2021-41274
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.0.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.1.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.2.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.2.1
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.2.2
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.2.3
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.3.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.4.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.5.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.6.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.6.1
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.6.2
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.6.3
-
cpe:2.3:a:nebulab:solidus_auth_devise:1.6.4
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.0.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.1.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.2.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.3.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.4.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.5.0
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.5.1
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.5.2
-
cpe:2.3:a:nebulab:solidus_auth_devise:2.5.3