Authentication Bypass by CSRF Weakness
Package
Affected versions
< 2.11.12
>= 3.0.0, < 3.0.3
>= 3.1.0, < 3.1.3
Patched versions
2.11.12
3.0.3
3.1.3
Description
Reviewed
Nov 17, 2021
Published to the GitHub Advisory Database
Nov 18, 2021
Last updated
Jan 9, 2023
Impact
The actual vulnerability has been discovered on
solidus_auth_devise
. See GHSA-xm34-v85h-9pg2 for details.The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update
solidus_auth_devise
. For this reason, it has been marked as low impact on this end.Patches
For extra security, update
solidus_core
to versions3.1.3
,3.0.3
or2.11.12
.Workarounds
Look at the workarounds described at GHSA-xm34-v85h-9pg2.
References
For more information
If you have any questions or comments about this advisory:
References