Lucene search

GitHub_MCVELIST:CVE-2020-15269

HistoryOct 20, 2020 - 8:15 p.m.

CVE-2020-15269 Expired token reuse in Spree

2020-10-2020:15:14

CWE-287

CWE-613

GitHub_M

www.cve.org

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.0%

JSON

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

CNA Affected

[
  {
    "product": "spree",
    "vendor": "spree",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.7.11"
      },
      {
        "status": "affected",
        "version": ">= 4.0.0, < 4.0.4"
      },
      {
        "status": "affected",
        "version": ">= 4.1.0, < 4.1.11"
      }
    ]
  }
]

References

github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847

github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

51.0%

JSON

Related for CVELIST:CVE-2020-15269