VYPR
High severityNVD Advisory· Published Dec 7, 2021· Updated Aug 4, 2024

ReDos vulnerability on guest checkout email validation

CVE-2021-43805

Description

Solidus is a free, open-source ecommerce platform built on Rails. Versions of Solidus prior to 3.1.4, 3.0.4, and 2.11.13 have a denial of service vulnerability that could be exploited during a guest checkout. The regular expression used to validate a guest order's email was subject to exponential backtracking through a fragment like a.a. Versions 3.1.4, 3.0.4, and 2.11.13 have been patched to use a different regular expression. The maintainers added a check for email addresses that are no longer valid that will print information about any affected orders that exist. If a prompt upgrade is not an option, a workaround is available. It is possible to edit the file config/application.rb manually (with code provided by the maintainers in the GitHub Security Advisory) to check email validity.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
solidus_coreRubyGems
< 2.11.132.11.13
solidus_coreRubyGems
>= 3.0.0, < 3.0.43.0.4
solidus_coreRubyGems
>= 3.1.0, < 3.1.43.1.4

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.