CVE-2021-43805

Name of the Vulnerable Software and Affected Versions: Solidus versions prior to 3.1.4 Solidus versions prior to 3.0.4 Solidus versions prior to 2.11.13

Description: The issue is a denial of service vulnerability that could be exploited during a guest checkout. It is caused by exponential backtracking in the regular expression used to validate a guest order's email, which can occur with email addresses containing fragments like a.a.. This can lead to the exhaustion of server resources if the email string is made long enough. The maintainers have added a task to check for orders with invalid email addresses.

Recommendations: For versions prior to 3.1.4, update to version 3.1.4 or later. For versions prior to 3.0.4, update to version 3.0.4 or later. For versions prior to 2.11.13, update to version 2.11.13 or later. As a temporary workaround, edit the file config/application.rb manually by adding the provided code to check email validity. Run the task bin/rails solidus:check orders with invalid email to print information about any affected orders.