CVE-2021-41275: Authentication Bypass by CSRF Weakness
9.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32948%
CWE
Published
11/18/2021
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
spree_auth_devise | rubygems | >= 4.3.0, < 4.4.1 | 4.4.1 |
spree_auth_devise | rubygems | >= 4.2.0, < 4.2.1 | 4.2.1 |
spree_auth_devise | rubygems | >= 4.1.0, < 4.1.1 | 4.1.1 |
spree_auth_devise | rubygems | < 4.0.1 | 4.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from callback execution order. The original code used prepend_before_action to load user objects before CSRF validation. This is critical because:
- When using :null_session/reset_session strategies, session data gets cleared AFTER user loading
- The user object remained valid even with invalid CSRF tokens
- Update actions could proceed with the pre-loaded user object
- The patch moved load_object into individual actions AFTER CSRF protection Commit diff shows removal of prepend_before_action and explicit load_object calls in actions, confirming the execution order was the root cause.