Описание
Authorization bypass in Spree
Impact
The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token
Patches
Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
References
Pull request with a fix and in-depth explanation - https://github.com/spree/spree/pull/10573
For more information
If you have any questions or comments about this advisory:
- Email us at security@spreecommerce.org
Ссылки
- https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
- https://nvd.nist.gov/vuln/detail/CVE-2020-26223
- https://github.com/spree/spree/pull/10573
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_api/CVE-2020-26223.yml
- https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status
- https://rubygems.org/gems/spree_api/versions
Пакеты
spree_api
>= 3.7.0, < 3.7.13
3.7.13
spree_api
>= 4.0.0, < 4.0.5
4.0.5
spree_api
>= 4.1.0, < 4.1.12
4.1.12
Связанные уязвимости
Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.