CVE-2020-26223

Published: Nov 13, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Spree is a complete open source e-commerce solution built with Ruby on Rails. In Spree from version 3.7 and before versions 3.7.13, 4.0.5, and 4.1.12, there is an authorization bypass vulnerability. The perpetrator could query the API v2 Order Status endpoint with an empty string passed as an Order token. This is patched in versions 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

Affected (3)

Products: Spreecommerce: Spree

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Spreecommerce Spree	From 3.7.0 to 3.7.13
Spreecommerce Spree	From 4.0.0 to 4.0.5
Spreecommerce Spree	From 4.1.0 to 4.1.12

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (6)

https://github.com/spree/spree/pull/10573

Source: security-advisories@github.com

ExploitPatchThird Party Advisory

https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr

Source: security-advisories@github.com

Third Party Advisory

https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status

Source: security-advisories@github.com

Vendor Advisory

https://github.com/spree/spree/pull/10573

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatchThird Party Advisory

https://github.com/spree/spree/security/advisories/GHSA-m2jr-hmc3-qmpr

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.