Platform
ruby
Component
solidus_auth_devise
Fixed in
1.0.1
2.5.4
CVE-2021-41274 describes a critical Cross-Site Request Forgery (CSRF) vulnerability affecting versions of the solidusauthdevise frontend component up to and including 2.5.3. This vulnerability allows an attacker to potentially take over user accounts within a Rails application. The issue arises from a misconfiguration of the protectfromforgery method, and a fix is available in version 2.5.4.
The core impact of CVE-2021-41274 is complete user account takeover. An attacker can craft malicious requests that, if successful, allow them to perform actions as a legitimate user without their knowledge or consent. This could include modifying user profiles, placing orders, or accessing sensitive data. The vulnerability is particularly concerning because it affects applications where protectfromforgery is used with :nullsession or :resetsession strategies, which are common configurations. Successful exploitation requires the attacker to trick a user into visiting a malicious website or clicking a crafted link, making social engineering a key attack vector.
CVE-2021-41274 was publicly disclosed on November 18, 2021. While no active exploitation campaigns have been definitively linked to this specific CVE, the severity of the vulnerability and the ease of exploitation make it a potential target. No public proof-of-concept exploits have been widely released, but the vulnerability's nature makes it relatively straightforward to develop a working exploit. The CVSS score of 9.3 (CRITICAL) reflects the high likelihood of exploitation.
Exploit Status
EPSS
0.11% (29% percentile)
CVSS Vector
The primary mitigation for CVE-2021-41274 is to upgrade to version 2.5.4 or later of the solidusauthdevise frontend component. If an immediate upgrade is not feasible, carefully review the configuration of protectfromforgery within your Rails application. Ensure that it is not configured to use :nullsession or :resetsession unless absolutely necessary. Consider implementing additional CSRF protection measures, such as double submit cookies or custom token generation, as a temporary workaround. After upgrading, confirm the fix by attempting to trigger a CSRF request and verifying that it is properly blocked.
Update the `solidus_auth_devise` gem to version 2.5.4 or higher. If you cannot update, change the CSRF protection strategy to `:exception` in your Rails application. See the GitHub advisory for more details on possible workarounds.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-41274 is a critical Cross-Site Request Forgery (CSRF) vulnerability in solidusauthdevise versions up to 2.5.3, allowing attackers to potentially take over user accounts.
You are affected if your Rails application uses solidusauthdevise version 2.5.3 or earlier, and the protectfromforgery method is misconfigured.
Upgrade to version 2.5.4 or later of solidusauthdevise. Review and correct your protectfromforgery configuration if an immediate upgrade isn't possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.
Refer to the solidusauthdevise project's GitHub repository and associated security advisories for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.