Lucene search

RubySecRUBY:SPREE-2020-15269

HistoryOct 19, 2020 - 9:00 p.m.

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

2020-10-1921:00:00

RubySec

github.com

doorkeeper_token

authentication

api v2

expired token

storefront

patches

software upgrade

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

JSON

Impact

The perpetrator who previously obtained an old expired user
token could use it to access Storefront API v2 endpoints.

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.

Affected configurations

Vulners

Node

rubyspreeRange3.7.0–3.7.11

rubyspreeRange4.0.0–4.0.4

rubyspreeRange≤4.1.11

VendorProductVersionCPE
rubyspree*cpe:2.3:a:ruby:spree:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	spree	*	cpe:2.3:a:ruby:spree::::::::

References

github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

JSON

Related for RUBY:SPREE-2020-15269