Login Sign Up

CVE-2021-41274

9.3 CRITICAL
Authentication Bypass CSRF

📋 TL;DR

CVE-2021-41274 is a CSRF vulnerability in solidus_auth_devise that allows attackers to take over user accounts by tricking authenticated users into submitting malicious requests. All applications using the frontend component of solidus_auth_devise with default or specific CSRF protection configurations are affected. This vulnerability enables complete account compromise.

💻 Affected Systems

Products:
  • solidus_auth_devise
Versions: All versions before 2.5.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Applications are vulnerable when using frontend component with protect_from_forgery configured to use :null_session or :reset_session strategies (default is :null_session).

📦 What is this software?

Solidus Auth Devise by Nebulab

View all CVEs affecting Solidus Auth Devise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and full system compromise.

🟠

Likely Case

Attacker takes over customer accounts to steal personal information, payment details, and make unauthorized purchases.

🟢

If Mitigated

No impact when proper CSRF protection with :exception strategy is implemented or when patched to version 2.5.4.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages. No authentication needed for the victim beyond being logged in.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.4

Vendor Advisory: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2

Restart Required: Yes

Instructions:

1. Update Gemfile to require 'solidus_auth_devise', '~> 2.5.4' 2. Run 'bundle update solidus_auth_devise' 3. Restart application server

🔧 Temporary Workarounds

Change CSRF protection strategy

all

Modify protect_from_forgery to use :exception strategy instead of default :null_session

In application_controller.rb: protect_from_forgery with: :exception

🧯 If You Can't Patch

  • Implement additional CSRF tokens in all forms and AJAX requests
  • Deploy WAF rules to block CSRF patterns and monitor for suspicious account modification requests

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock for solidus_auth_devise version < 2.5.4 and verify protect_from_forgery configuration in application controller

Check Version:

grep solidus_auth_devise Gemfile.lock

Verify Fix Applied:

Confirm solidus_auth_devise version is 2.5.4+ in Gemfile.lock and test CSRF protection with security scanning tools

📡 Detection & Monitoring

Log Indicators:

  • Multiple account modification requests from same IP with different user agents
  • Account updates without corresponding CSRF token validation in logs

Network Indicators:

  • POST requests to user endpoints without Referer headers or with external Referers
  • Unusual account modification patterns

SIEM Query:

source=web_logs (POST /user/* OR PUT /user/*) AND NOT csrf_token=* | stats count by src_ip

📊 Metadata

CVE ID: CVE-2021-41274
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-352
Published: November 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41274, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)