Plattform
ruby
Komponente
spree_auth_devise
Behoben in
4.3.1
4.2.1
4.1.1
4.0.2
4.4.1
CVE-2021-41275 represents a critical Cross-Site Request Forgery (CSRF) vulnerability affecting Spree Auth Devise versions up to 4.4.0. This vulnerability enables an attacker to potentially take over user accounts within applications utilizing the Spree Auth Devise frontend component. The vulnerability arises from a misconfiguration of the protectfromforgery method, and a fix is available in version 4.4.1.
The primary impact of CVE-2021-41275 is the potential for complete user account takeover. An attacker can craft malicious requests that, when triggered by a logged-in user, execute actions as that user without their knowledge or consent. This could include modifying user profiles, changing passwords, placing orders, or accessing sensitive data. The vulnerability is particularly concerning because it affects the frontend component of Spree Auth Devise, a widely used authentication library in Ruby on Rails applications. The combination of protectfromforgery being executed as a beforeaction callback and the use of :nullsession or :reset_session strategies creates a perfect storm for CSRF exploitation. Successful exploitation requires the attacker to trick the user into visiting a malicious website or clicking a crafted link.
CVE-2021-41275 was publicly disclosed on November 18, 2021. While no active exploitation campaigns have been definitively linked to this CVE, the CRITICAL severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of exploiting this flaw. The vulnerability's impact on user account takeover makes it a significant security risk.
Applications built with Ruby on Rails that utilize the Spree Auth Devise gem, particularly those relying on the frontend component, are at risk. Specifically, applications using default configurations or those that have not explicitly configured protectfromforgery with robust settings are highly vulnerable. Shared hosting environments where application configurations are less controllable also present a heightened risk.
• ruby / server:
# Check for Spree Auth Devise version
require 'spree_auth_devise'
puts Spree::Auth::Devise.version• ruby / server:
# Inspect application configuration for protect_from_forgery settings
# Look for configurations using :null_session or :reset_session• generic web:
# Check for suspicious requests in access logs
# Look for requests with unexpected parameters or origins
grep -i 'spree_auth_devise' /var/log/nginx/access.logdisclosure
patch
Exploit-Status
EPSS
0.07% (23% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-41275 is to upgrade to version 4.4.1 or later of Spree Auth Devise. If upgrading is not immediately feasible, consider implementing temporary workarounds. Ensure that the protectfromforgery method is correctly configured and that the session management strategy is not vulnerable to CSRF attacks. Review your application's session handling logic and implement additional CSRF protection measures, such as using custom CSRF tokens or implementing stricter session validation. If using a web application firewall (WAF), configure rules to detect and block CSRF attacks targeting Spree Auth Devise endpoints. After upgrading, confirm the fix by attempting a CSRF attack against a test user account and verifying that the attack is blocked.
Aktualisieren Sie die Gema spree_auth_devise auf Version 4.4.1 oder höher für Spree 4.3 Anwendungen, auf Version 4.2.1 oder höher für Spree 4.2 Anwendungen, auf Version 4.1.1 oder höher für Spree 4.1 Anwendungen oder auf Version 4.0.1 oder höher für ältere Versionen. Alternativ ändern Sie die CSRF-Schutzstrategie in Ihrem ApplicationController oder im Spree::UsersController zu :exception.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-41275 is a critical Cross-Site Request Forgery (CSRF) vulnerability in Spree Auth Devise versions up to 4.4.0, allowing attackers to potentially take over user accounts.
You are affected if your application uses Spree Auth Devise version 4.4.0 or earlier and the protectfromforgery method is misconfigured.
Upgrade to Spree Auth Devise version 4.4.1 or higher. Review and correct the configuration of protectfromforgery if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are known, the CRITICAL severity and availability of PoCs suggest a potential for exploitation.
Refer to the Spree Auth Devise GitHub repository for details and updates: https://github.com/spree/spree-auth-devise
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.