GHSA-m2jr-hmc3-qmpr

Suggest an improvement
Source
https://github.com/advisories/GHSA-m2jr-hmc3-qmpr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-m2jr-hmc3-qmpr/GHSA-m2jr-hmc3-qmpr.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m2jr-hmc3-qmpr
Aliases
Published
2020-11-13T17:18:22Z
Modified
2023-11-01T04:52:42.943882Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Authorization bypass in Spree
Details

Impact

The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

References

Pull request with a fix and in-depth explanation - https://github.com/spree/spree/pull/10573

For more information

If you have any questions or comments about this advisory: * Email us at security@spreecommerce.org

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-11-13T17:18:00Z"
}
References

Affected packages

RubyGems / spree_api

Package

Name
spree_api
Purl
pkg:gem/spree_api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.7.0
Fixed
3.7.13

Affected versions

3.*

3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.7.9
3.7.10
3.7.11
3.7.12

RubyGems / spree_api

Package

Name
spree_api
Purl
pkg:gem/spree_api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.0.5

Affected versions

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4

RubyGems / spree_api

Package

Name
spree_api
Purl
pkg:gem/spree_api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0
Fixed
4.1.12

Affected versions

4.*

4.1.0
4.1.1
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.1.10
4.1.11