RubySec

Providing security resources for the Ruby community

CVE-2020-15269 (spree): Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

ADVISORIES

GEM

spree

SEVERITY

CVSS v3: 7.4

UNAFFECTED VERSIONS

  • < 3.7.0

PATCHED VERSIONS

  • ~> 3.7.11
  • ~> 4.0.4
  • >= 4.1.11

DESCRIPTION

Impact

The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints.

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.