CVE-2021-41275

Name of the Vulnerable Software and Affected Versions spree auth devise versions prior to 4.0.1 spree auth devise versions prior to 4.1.1 spree auth devise versions prior to 4.2.1 spree auth devise versions prior to 4.4.1

Description The issue is a CSRF vulnerability that allows user account takeover. All applications using any version of the frontend component of spree auth devise are affected if the protect from forgery method is both executed as a before action callback or a prepend before action before the :load object hook in Spree::UserController, and configured to use :null session or :reset session strategies. Applications that haven't been configured differently from what's generated with Rails aren't affected.

Recommendations For Spree 4.3 users, update to spree auth devise 4.4.1. For Spree 4.2 users, update to spree auth devise 4.2.1. For Spree 4.1 users, update to spree auth devise 4.1.1. For older Spree version users, update to spree auth devise 4.0.1. As a temporary workaround, consider changing the strategy to :exception by adding the following code to config/application.rb:

config.after initialize do
 Spree::UsersController.protect from forgery with: :exception
end

Alternatively, change the strategy to :exception in the ApplicationController:

class ApplicationController < ActionController::Base
 protect from forgery with: :exception
end