Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls
Published: October 20, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-15269 (NVD)
- GHSA: GHSA-f8cm-364f-q9qh
- Vendor Advisory: https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
GEM
SEVERITY
CVSS v3.x: 7.4 (High)
UNAFFECTED VERSIONS
< 3.7.0
PATCHED VERSIONS
~> 3.7.11
~> 4.0.4
>= 4.1.11
DESCRIPTION
Impact
The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints.
Patches
Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.