Lucene search

RubySecRUBY:SPREE_API-2020-26223

HistoryNov 12, 2020 - 9:00 p.m.

Authorization bypass in Spree

2020-11-1221:00:00

RubySec

github.com

authorization bypass

spree

api vulnerability

order status

upgrade

software

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

JSON

Impact

The perpetrator could query the [API v2 Order Status]
(https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint
with an empty string passed as an Order token

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.
Users of Spree < 3.7 are not affected.

Affected configurations

Vulners

Node

rubyspree_apiRange3.7.0–3.7.11

rubyspree_apiRange4.0.0–4.0.4

rubyspree_apiRange≤4.1.11

VendorProductVersionCPE
rubyspree_api*cpe:2.3:a:ruby:spree_api:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	spree_api	*	cpe:2.3:a:ruby:spree_api::::::::

References

github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

JSON

Related for RUBY:SPREE_API-2020-26223