CVE-2020-26223 (spree_api): Authorization bypass in Spree

ADVISORIES

CVE-2020-26223 (NVD)
GHSA-m2jr-hmc3-qmpr
Vendor Advisory

GEM

spree_api

SEVERITY

CVSS v3.x: 7.7 (High)

UNAFFECTED VERSIONS

< 3.7.0

PATCHED VERSIONS

~> 3.7.11
~> 4.0.4
>= 4.1.11

DESCRIPTION

Impact

The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

https://github.com/spree/spree/pull/10573

RubySec