RubySec

Providing security resources for the Ruby community

CVE-2020-26223 (spree_api): Authorization bypass in Spree

ADVISORIES

GEM

spree_api

SEVERITY

CVSS v3: 7.7 (High)

UNAFFECTED VERSIONS

  • < 3.7.0

PATCHED VERSIONS

  • ~> 3.7.11
  • ~> 4.0.4
  • >= 4.1.11

DESCRIPTION

Impact

The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.