Authorization Bypass

2020-11-1603:02:19

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

55.4%

JSON

spree is vulnerable to authorization bypass. An attacker is able to bypass authorization checks by passing an empty string as the token and successfully query the API for any completed order.

CPENameOperatorVersion
spree_apile4.0.4
spree_apile3.7.12
spree_apile4.1.11
spree_apile4.2.0.rc1

Name	Operator	Version
spree_api	le	4.0.4
spree_api	le	3.7.12
spree_api	le	4.1.11
spree_api	le	4.2.0.rc1

References

github.com/advisories/GHSA-m2jr-hmc3-qmpr

github.com/spree/spree/pull/10573

github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr

guides.spreecommerce.org/api/v2/storefront#tag/Order-Status

0.002 Low

EPSS

Percentile

55.4%

JSON

Related for VERACODE:27889