GHSA-f8cm-364f-q9qh

Опубликовано: 20 окт. 2020

Источник: github

Github: Прошло ревью

CVSS3: 7.4

Описание

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

Impact

The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints.

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.

Workarounds

In your project directory create a decorator file app/controllers/spree/api/v2/base_controller_decotatror.rb with contents:

module Spree module Api module V2 module BaseControllerDecorator private def spree_current_user return nil unless doorkeeper_token return @spree_current_user if @spree_current_user doorkeeper_authorize! @spree_current_user ||= ::Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id) end end end end Spree::Api::V2::BaseController.prepend(Spree::Api::V2::BaseControllerDecorator)

For more information

If you have any questions or comments about this advisory:

Email us at security@spreecommerce.org

Ссылки

Пакеты

Наименование

spree

rubygems

Затронутые версииВерсия исправления

< 3.7.11

3.7.11

Наименование

spree

rubygems

Затронутые версииВерсия исправления

>= 4.0.0, < 4.0.4

4.0.4

Наименование

spree

rubygems

Затронутые версииВерсия исправления

>= 4.1.0, < 4.1.11

4.1.11

EPSS

Процентиль: 49%

0.00257

Низкий

7.4 High

CVSS3

CVE ID

CVE-2020-15269

Дефекты

CWE-287

CWE-613

Связанные уязвимости

CVE-2020-15269

CVSS3: 7.4

nvd

больше 5 лет назад

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

EPSS

Процентиль: 49%

0.00257

Низкий

7.4 High

CVSS3

CVE ID

CVE-2020-15269

Дефекты

CWE-287

CWE-613