PT-2020-16352 · Ruby On Rails · Spree

Damianlegawiec

Published

2020-11-13

Updated

2020-11-30

CVE-2020-26223

CVSS v3.1

7.7

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Spree versions prior to 3.7.11 Spree versions 3.7.11 through 3.7.12 are not affected, but versions prior to 3.7.11 are. However, considering the broader range, we can simplify to: Spree versions prior to 3.7.11 Spree versions 4.0.0 through 4.0.3 Spree versions 4.1.0 through 4.1.10

Description The issue concerns an authorization bypass vulnerability in Spree, a complete open source e-commerce solution built with Ruby on Rails. A perpetrator could query the "API v2 Order Status" endpoint with an empty string passed as an Order token.

Recommendations For Spree versions prior to 3.7.11, upgrade to version 3.7.11. For Spree versions 4.0.0 through 4.0.3, upgrade to version 4.0.4. For Spree versions 4.1.0 through 4.1.10, upgrade to version 4.1.11.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2020-26223

GHSA-M2JR-HMC3-QMPR

Affected Products

Spree

PT-2020-16352 · Ruby On Rails · Spree

CVE-2020-26223

Weakness Enumeration

Related Identifiers

Affected Products

References · 10