Authorization bypass in Spree
Published: November 13, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-26223 (NVD)
- GHSA: GHSA-m2jr-hmc3-qmpr
- Vendor Advisory: https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr
GEM
SEVERITY
CVSS v3.x: 7.7 (High)
UNAFFECTED VERSIONS
< 3.7.0
PATCHED VERSIONS
~> 3.7.11
~> 4.0.4
>= 4.1.11
DESCRIPTION
Impact
The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token
Patches
Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.