CVE-2020-15269

Source
https://nvd.nist.gov/vuln/detail/CVE-2020-15269
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15269.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-15269
Aliases
Published
2020-10-20T21:15:12Z
Modified
2024-10-12T06:12:57.245425Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

References

Affected packages

Git / github.com/spree/spree

Affected ranges

Type
GIT
Repo
https://github.com/spree/spree
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.11.0
v0.11.99
v0.2.0
v0.30.0.beta1
v0.4.0
v0.40.0
v0.5.0
v0.7.0
v0.70.0.rc2
v0.8.0
v0.8.1
v0.8.2

v1.*

v1.0.0.rc1
v1.0.0.rc2
v1.0.0.rc3
v1.2.0.rc1

v2.*

v2.4.0.rc1
v2.4.0.rc2
v2.4.0.rc3

v3.*

v3.0.0.rc1
v3.1.0.rc1
v3.2.0.rc1
v3.2.2
v3.3.0
v3.3.0.rc1
v3.3.0.rc2
v3.3.0.rc3
v3.3.0.rc4
v3.4.0
v3.4.0.rc1
v3.4.0.rc2
v3.5.0.rc1
v3.6.0.rc1
v3.7.0.beta
v3.7.0.rc1

v4.*

v4.0.0.beta
v4.1.0
v4.1.0.rc1
v4.1.0.rc2
v4.1.0.rc3
v4.1.1
v4.1.10
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9