Cross-site Request Forgery (CSRF) Affecting spree_auth_devise package, versions >=4.3.0, <4.4.1 >=4.2.0, <4.2.1 >=4.1.0, <4.1.1 <4.0.1
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-SPREEAUTHDEVISE-1922831
- published 19 Nov 2021
- disclosed 18 Nov 2021
- credit Unknown
How to fix?
Upgrade spree_auth_devise
to version 4.4.1, 4.2.1, 4.1.1, 4.0.1 or higher.
Overview
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) that allows user account takeover.
Note: All applications using any version of the frontend component of spree_auth_devise
are affected if protect_from_forgery
method is both:
- Executed whether as:
- A
before_action
callback (the default) - A
prepend_before_action
(option prepend: true given) before the:load_object
hook inSpree::UserController
(most likely order to find).
- A
- Configured to use
:null_session
or:reset_session
strategies (:null_session
is the default in case the no strategy is given, but rails--new
generated skeleton use:exception
).
That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.