2.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-31000

CVE-2022-31000: CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend

Impact

CSRF vulnerability allowing attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer.

Reproduction steps:

Take an order's number.
Log in as an administrator.
Visit that order's adjustments section (Orders -> {Click on number} -> Adjustments) and check that its adjustments are finalized (closed padlock under the State column).
On another tab, visit {your_site_url}/admin/orders/{order_number}/adjustments/unfinalize.
Notice how the adjustments are unfinalized (open padlock), even if the previous was a GET request which could have been linked from any other site.
Visit {your_site_url}/admin/orders/{order_number}/adjustments/finalize.
Notice how the adjustments are again finalized.

That happened because both routes were handled as GET requests, which are skipped by Rails anti-forgery protection.

Patches

Users should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use.

References

Rails CSRF protection.

For more information

If you have any questions or comments about this advisory:

Open an issue or a discussion in Solidus.
Email us at security@solidus.io
Contact the core team on Slack

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-31000

CVE-2022-31000:

2.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
solidus_backend	rubygems	< 2.11.16	2.11.16
solidus_backend	rubygems	>= 3.0.0, < 3.0.6	3.0.6
solidus_backend	rubygems	>= 3.1.0, < 3.1.6	3.1.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from state-changing operations (finalize/unfinalize) being exposed via GET requests in routes.rb. The commit diff shows these routes were originally configured with 'get' verbs, making them vulnerable to CSRF as Rails skips anti-forgery protection for GET requests. The controller actions mapped to these routes (unfinalize_adjustments and finalize_adjustments) would execute state changes without proper CSRF validation when accessed via GET, which was fixed by changing the HTTP method to PUT in both routes and view templates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-31000: CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend

Impact

Patches

References

For more information

CVE-2022-31000:

2.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

2.3

2.3

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-31000: CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend

Impact

Patches

References

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI