CVE-2021-41274 — CRITICAL (9.3)

Q: How severe is CVE-2021-41274?

CVE-2021-41274 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-41274?

Check the references section above for vendor advisories and patch information. Affected products include: Nebulab Solidus Auth Devise.

Vulnerability Description

solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of `solidus_auth_devise` are affected if `protect_from_forgery` method is both: Executed whether as: A `before_action` callback (the default) or A `prepend_before_action` (option `prepend: true` given) before the `:load_object` hook in `Spree::UserController` (most likely order to find). Configured to use `:null_session` or `:reset_session` strategies (`:null_session` is the default in case the no strategy is given, but `rails --new` generated skeleton use `:exception`). Users should promptly update to `solidus_auth_devise` version `2.5.4`. Users unable to update should if possible, change their strategy to `:exception`. Please see the linked GHSA for more workaround details.

CVSS Score

9.3

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Nebulab	Solidus Auth Devise	>= 1.0.0, < 2.5.4

Related Weaknesses (CWE)

CWE-352

References

https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ecPatchThird Party Advisory
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-vExploitThird Party Advisory
https://github.com/solidusio/solidus_auth_devise/commit/731a6645e90ea9fd228f78ecPatchThird Party Advisory
https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-vExploitThird Party Advisory

FAQ

What is CVE-2021-41274?

CVE-2021-41274 is a vulnerability with a CVSS score of 9.3 (CRITICAL). solidus_auth_devise provides authentication services for the Solidus webstore framework, using the Devise gem. In affected versions solidus_auth_devise is subject to a CSRF vulnerability that allows u...

How severe is CVE-2021-41274?

CVE-2021-41274 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-41274?

Check the references section above for vendor advisories and patch information. Affected products include: Nebulab Solidus Auth Devise.