Plattform
ruby
Komponente
solidus_auth_devise
Behoben in
1.0.1
2.5.4
CVE-2021-41274 describes a critical Cross-Site Request Forgery (CSRF) vulnerability affecting versions of the solidusauthdevise frontend component up to and including 2.5.3. This vulnerability allows an attacker to potentially take over user accounts within a Rails application. The issue arises from a misconfiguration of the protectfromforgery method, and a fix is available in version 2.5.4.
The core impact of CVE-2021-41274 lies in its potential for user account takeover. A successful CSRF attack exploits the trust a website has in an authenticated user's browser. If protectfromforgery is not properly configured, an attacker can craft malicious requests that appear to originate from a legitimate user, allowing them to perform actions on their behalf, such as changing passwords, updating profile information, or making unauthorized purchases. The vulnerability's severity is amplified by the default configuration of solidusauthdevise, which often uses :nullsession or :resetsession strategies, increasing the likelihood of successful exploitation. This is similar to other CSRF vulnerabilities where improper session management can lead to unauthorized actions.
CVE-2021-41274 was publicly disclosed on November 18, 2021. While no active exploitation campaigns have been definitively linked to this specific CVE, the ease of CSRF exploitation and the widespread use of Ruby on Rails applications make it a potential target. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of exploitation. The CVSS score of 9.3 (CRITICAL) reflects the high potential for impact and ease of exploitation.
Applications built with Ruby on Rails that utilize the solidusauthdevise gem, especially those employing the default :null_session strategy for session management, are at significant risk. Shared hosting environments where multiple applications share the same server and configuration are also particularly vulnerable, as a compromise in one application could potentially impact others.
• ruby / rails: Check Gemfile for solidusauthdevise versions <= 2.5.3. Inspect application code for protectfromforgery configuration, particularly looking for :nullsession or :resetsession strategies.
gem list solidus_auth_devise• generic web: Monitor application logs for unusual activity, such as unexpected requests originating from different IP addresses. Review access logs for suspicious URLs or patterns.
• wordpress / composer / npm: N/A - This vulnerability is specific to Ruby on Rails applications using the solidusauthdevise gem.
disclosure
patch
Exploit-Status
EPSS
0.11% (29% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-41274 is to upgrade to version 2.5.4 or later of the solidusauthdevise component. Before upgrading, it's crucial to review your application's configuration to ensure protectfromforgery is correctly implemented. Specifically, verify that it's not being bypassed or overridden in unexpected ways. If an upgrade is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block suspicious CSRF tokens. Additionally, carefully review your application's logs for any unusual activity or failed CSRF protection attempts. After upgrading, confirm the fix by attempting a CSRF attack against a test user account and verifying that the protection mechanisms are functioning as expected.
Aktualisieren Sie die Gem `solidus_auth_devise` auf Version 2.5.4 oder höher. Wenn ein Update nicht möglich ist, ändern Sie die CSRF-Schutzstrategie in Ihrer Rails-Anwendung zu `:exception`. Weitere Informationen zu möglichen Workarounds finden Sie im GitHub-Advisory.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-41274 is a critical Cross-Site Request Forgery (CSRF) vulnerability in solidusauthdevise versions up to 2.5.3, allowing attackers to potentially take over user accounts.
You are affected if your Rails application uses solidusauthdevise version 2.5.3 or earlier, and the protectfromforgery method is misconfigured.
Upgrade to version 2.5.4 or later of solidusauthdevise. Review and correct your protectfromforgery configuration if an immediate upgrade isn't possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the solidusauthdevise project's GitHub repository and associated security advisories for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.