Miggo Logo

CVE-2021-41275: Authentication Bypass by CSRF Weakness

9.3

CVSS Score
3.1

Basic Information

EPSS Score
0.32948%
Published
11/18/2021
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
spree_auth_deviserubygems>= 4.3.0, < 4.4.14.4.1
spree_auth_deviserubygems>= 4.2.0, < 4.2.14.2.1
spree_auth_deviserubygems>= 4.1.0, < 4.1.14.1.1
spree_auth_deviserubygems< 4.0.14.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from callback execution order. The original code used prepend_before_action to load user objects before CSRF validation. This is critical because:

  1. When using :null_session/reset_session strategies, session data gets cleared AFTER user loading
  2. The user object remained valid even with invalid CSRF tokens
  3. Update actions could proceed with the pre-loaded user object
  4. The patch moved load_object into individual actions AFTER CSRF protection Commit diff shows removal of prepend_before_action and explicit load_object calls in actions, confirming the execution order was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *SR* vuln*r**ility t**t *llows us*r ***ount t*k*ov*r. *ll *ppli**tions usin* *ny v*rsion o* t** *ront*n* *ompon*nt o* `spr**_*ut*_**vis*` *r* *****t** i* `prot**t_*rom_*or**ry` m*t*o* is *ot*: * *x**ut** w**t**r *s: * * ***or*_**tion

Reasoning

T** vuln*r**ility st*ms *rom **ll***k *x**ution or**r. T** ori*in*l *o** us** pr*p*n*_***or*_**tion to lo** us*r o*j**ts ***or* *SR* v*li**tion. T*is is *riti**l ****us*: *. W**n usin* :null_s*ssion/r*s*t_s*ssion str*t**i*s, s*ssion **t* **ts *l**r**