Lookup for vulnerable packages by Package URL.
| Purl | pkg:gem/solidus_core@3.1.0 |
|---|
| Type | gem |
|---|
| Namespace | |
|---|
| Name | solidus_core |
|---|
| Version | 3.1.0 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 3.1.3 |
|---|
| Latest_non_vulnerable_version | 3.1.5 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-1amr-xv82-93ac |
| vulnerability_id |
VCID-1amr-xv82-93ac |
| summary |
Inefficient Regular Expression Complexity
Solidus is a free, open-source ecommerce platform built on Rails.If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file `config/application.rb` manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-43805, GHSA-qxmr-qxh6-2cc9
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1amr-xv82-93ac |
|
| 1 |
| url |
VCID-6n5g-nh97-nbbf |
| vulnerability_id |
VCID-6n5g-nh97-nbbf |
| summary |
Cross-Site Request Forgery (CSRF)
`solidus_frontend` is the cart and storefront for the Solidus e-commerce project. Versions of `solidus_frontend` contain a cross-site request forgery (CSRF) vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. contain a patch for this issue. The patch adds CSRF token verification to the "Add to cart" action. Adding forgery protection to a form that missed it can have some side effects. Other CSRF protection strategies as well as a workaround involving modifcation to config/application.rb` are available. More details on these mitigations are available in the GitHub Security Advisory. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-43846, GHSA-h3fg-h5v3-vf8m
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6n5g-nh97-nbbf |
|
| 2 |
| url |
VCID-c2de-ucf9-eqcp |
| vulnerability_id |
VCID-c2de-ucf9-eqcp |
| summary |
Authentication Bypass by CSRF Weakness
### Impact
The actual vulnerability has been discovered on `solidus_auth_devise`. See [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2) for details.
The security advisory here exists to provide an extra layer of security in the form of a monkey patch for users who don't update `solidus_auth_devise`. For this reason, it has been marked as low impact on this end.
### Patches
For extra security, update `solidus_core` to versions `3.1.3`, `3.0.3` or `2.11.12`.
### Workarounds
Look at the workarounds described at [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2).
### References
- [GHSA-xm34-v85h-9pg2](https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2).
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise/issues) or a discussion in [solidus](https://github.com/solidusio/solidus/discussions)
* Email us at [security@solidus.io](mailto:security@soliidus.io)
* Contact the core team on [Slack](http://slack.solidus.io/) |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-5629-8855-gf4g, GMS-2021-4
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c2de-ucf9-eqcp |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:gem/solidus_core@3.1.0 |
|---|