GHSA-55rf-8q29-4g43

Source

https://github.com/advisories/GHSA-55rf-8q29-4g43

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-55rf-8q29-4g43

Aliases

CVE-2024-40633

Published

2024-07-17T14:32:18Z

Modified

2026-03-10T03:49:44.078882Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Sylius has a security vulnerability via adjustments API endpoint

Details

Impact

A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.

Patches

The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.

Workarounds

Using YAML configuration:

Create config/api_platform/Adjustment.yaml file:

# config/api_platform/Adjustment.yaml

'%sylius.model.adjustment.class%':
    itemOperations:
        shop_get:
            controller: ApiPlatform\Core\Action\NotFoundAction
            read: false
            output: false

Or using XML configuration:

Note: This is the only way of disabling the vulnerable endpoint for Sylius 1.9, as YAML configuration is not supported in that version.

Copy the original configuration from vendor:

# create directory if it doesn't exist
mkdir -p config/api_platform

cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform

And change the shop_get operation in copied config/api_platform/Adjustment.xml file:

<!-- config/api_platform/Adjustment.xml -->

...
<itemOperation name="shop_get">
    <attribute name="method">GET</attribute>
    <attribute name="path">/shop/adjustments/{id}</attribute>
    <attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
    <attribute name="read">false</attribute>
    <attribute name="output">false</attribute>
</itemOperation>
...

Update your API platform paths config if needed so the new configuration file is loaded:

# config/packages/api_platform.yaml
api_platform:
    mapping:
        paths:
          - '%kernel.project_dir%/vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources'
          ...
          - '%kernel.project_dir%/config/api_platform'

For more information

If you have any questions or comments about this advisory:

Open an issue in Sylius issues
Email us at security@sylius.com

Database specific

{
    "cwe_ids": [
        "CWE-200",
        "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T14:32:18Z",
    "nvd_published_at": "2024-07-17T18:15:04Z",
    "severity": "HIGH"
}

References

Affected packages

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.12.0-alpha.1

Fixed

1.12.19

Affected versions

v1.*

v1.12.0-alpha.1

v1.12.0-alpha.2

v1.12.0-beta.1

v1.12.0-rc.1

v1.12.0

v1.12.1

v1.12.2

v1.12.3

v1.12.4

v1.12.5

v1.12.6

v1.12.7

v1.12.8

v1.12.9

v1.12.10

v1.12.11

v1.12.12

v1.12.13

v1.12.14

v1.12.15

v1.12.16

v1.12.17

v1.12.18

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json"

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.13.0-alpha.1

Fixed

1.13.4

Affected versions

v1.*

v1.13.0-alpha.1

v1.13.0-alpha.2

v1.13.0-beta.1

v1.13.0-rc.1

v1.13.0

v1.13.1

v1.13.2

v1.13.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json"

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.12

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.17.0

v0.18.0

v0.19.0

v1.*

v1.0.0-alpha.1

v1.0.0-alpha.2

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.0.10

v1.0.11

v1.0.12

v1.0.13

v1.0.14

v1.0.15

v1.0.16

v1.0.17

v1.0.18

v1.1.0-RC

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.1.5

v1.1.6

v1.1.7

v1.1.8

v1.1.9

v1.1.10

v1.1.11

v1.1.12

v1.1.13

v1.1.14

v1.1.15

v1.1.16

v1.1.17

v1.1.18

v1.2.0-BETA

v1.2.0-RC

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.2.10

v1.2.11

v1.2.12

v1.2.13

v1.2.14

v1.2.15

v1.2.16

v1.2.17

v1.3.0-BETA

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.3.10

v1.3.11

v1.3.12

v1.3.13

v1.3.14

v1.3.15

v1.3.16

v1.4.0-BETA.1

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.4.6

v1.4.7

v1.4.8

v1.4.9

v1.4.10

v1.4.11

v1.4.12

v1.5.0-RC.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.5.4

v1.5.5

v1.5.6

v1.5.7

v1.5.8

v1.5.9

v1.6.0-ALPHA.1

v1.6.0-ALPHA.2

v1.6.0-RC.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v1.7.0-ALPHA.1

v1.7.0-ALPHA.2

v1.7.0-RC.1

v1.7.0

v1.7.1

v1.7.2

v1.7.3

v1.7.4

v1.7.5

v1.7.6

v1.7.7

v1.7.8

v1.7.9

v1.7.10

v1.7.11

v1.8.0-RC.1

v1.8.0

v1.8.1

v1.8.2

v1.8.3

v1.8.4

v1.8.5

v1.8.6

v1.8.7

v1.8.8

v1.8.9

v1.8.10

v1.8.11

v1.8.12

v1.9.0-ALPHA.1

v1.9.0-BETA.1

v1.9.0-ALPHA.2

v1.9.0-BETA.2

v1.9.0-BETA.3

v1.9.0-RC.1

v1.9.0-RC.2

v1.9.0

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v1.9.7

v1.9.8

v1.9.9

v1.9.10

v1.9.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json"

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.10.0-alpha.1

Fixed

1.10.16

Affected versions

v1.*

v1.10.0-alpha.1

v1.10.0-beta.1

v1.10.0-rc.1

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.10.5

v1.10.6

v1.10.7

v1.10.8

v1.10.9

v1.10.10

v1.10.11

v1.10.12

v1.10.13

v1.10.14

v1.10.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json"

last_known_affected_version_range

"<= 1.10.15"

Packagist / sylius/sylius

Package

Name: sylius/sylius
Purl: pkg:composer/sylius/sylius

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.11.0-alpha.1

Fixed

1.11.17

Affected versions

v1.*

v1.11.0-alpha.1

v1.11.0-alpha.2

v1.11.0-beta.1

v1.11.0-rc.1

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.11.7

v1.11.8

v1.11.9

v1.11.10

v1.11.11

v1.11.12

v1.11.13

v1.11.14

v1.11.15

v1.11.16

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-55rf-8q29-4g43/GHSA-55rf-8q29-4g43.json"

last_known_affected_version_range

"<= 1.11.16"