9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41275

GHSA ID

GHSA-26xx-m4q2-xhq8

EPSS Score

0.32948%

CWE

CWE-352

Published

11/18/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41275

CVE-2021-41275:
Authentication Bypass by CSRF Weakness

Impact

CSRF vulnerability that allows user account takeover.

All applications using any version of the frontend component of spree_auth_devise are affected if protect_from_forgery method is both:

Executed whether as:
- A before_action callback (the default)
- A prepend_before_action (option prepend: true given) before the :load_object hook in Spree::UserController (most likely order to find).
Configured to use :null_session or :reset_session strategies (:null_session is the default in case the no strategy is given, but rails --new generated skeleton use :exception).

That means that applications that haven't been configured differently from what it's generated with Rails aren't affected.

Thanks @waiting-for-dev for reporting and providing a patch 👏

Patches

Spree 4.3 users should update to spree_auth_devise 4.4.1 Spree 4.2 users should update to spree_auth_devise 4.2.1 Spree 4.1 users should update to spree_auth_devise 4.1.1 Older Spree version users should update to spree_auth_devise 4.0.1

Workarounds

If possible, change your strategy to :exception:

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception
end

Add the following toconfig/application.rb to at least run the :exception strategy on the affected controller:

config.after_initialize do
  Spree::UsersController.protect_from_forgery with: :exception
end

References

https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

(GitHub Advisory)

9.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41275

GHSA ID

GHSA-26xx-m4q2-xhq8

EPSS Score

0.32948%

CWE

CWE-352

Published

11/18/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
spree_auth_devise	rubygems	>= 4.3.0, < 4.4.1	4.4.1
spree_auth_devise	rubygems	>= 4.2.0, < 4.2.1	4.2.1
spree_auth_devise	rubygems	>= 4.1.0, < 4.1.1	4.1.1
spree_auth_devise	rubygems	< 4.0.1	4.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from callback execution order. The original code used prepend_before_action to load user objects before CSRF validation. This is critical because:

When using :null_session/reset_session strategies, session data gets cleared AFTER user loading
The user object remained valid even with invalid CSRF tokens
Update actions could proceed with the pre-loaded user object
The patch moved load_object into individual actions AFTER CSRF protection Commit diff shows removal of prepend_before_action and explicit load_object calls in actions, confirming the execution order was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *SR* vuln*r**ility t**t *llows us*r ***ount t*k*ov*r. *ll *ppli**tions usin* *ny v*rsion o* t** *ront*n* *ompon*nt o* `spr**_*ut*_**vis*` *r* *****t** i* `prot**t_*rom_*or**ry` m*t*o* is *ot*: * *x**ut** w**t**r *s: * * ***or*_**tion

Reasoning

T** vuln*r**ility st*ms *rom **ll***k *x**ution or**r. T** ori*in*l *o** us** pr*p*n*_***or*_**tion to lo** us*r o*j**ts ***or* *SR* v*li**tion. T*is is *riti**l ****us*: *. W**n usin* :null_s*ssion/r*s*t_s*ssion str*t**i*s, s*ssion **t* **ts *l**r**

9.3

Basic Information

Concerned about an active attack path?

CVE-2021-41275: Authentication Bypass by CSRF Weakness

Impact

Patches

Workarounds

References

9.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-41275:
Authentication Bypass by CSRF Weakness

Vulnerability Intelligence
Miggo AI