CVE-2020-15269 – spree

Package

Manager: gem
Name: spree
Vulnerable Version: >=0 <3.7.11 || >=4.0.0 <4.0.4 || >=4.1.0 <4.1.11

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00257 pctl0.48898

Details

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls ### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. ### Workarounds In your project directory create a decorator file `app/controllers/spree/api/v2/base_controller_decotatror.rb` with contents: ```ruby module Spree module Api module V2 module BaseControllerDecorator private def spree_current_user return nil unless doorkeeper_token return @spree_current_user if @spree_current_user doorkeeper_authorize! @spree_current_user ||= ::Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id) end end end end Spree::Api::V2::BaseController.prepend(Spree::Api::V2::BaseControllerDecorator) ``` ### For more information If you have any questions or comments about this advisory: * Email us at [security@spreecommerce.org](mailto:security@spreecommerce.org)

Metadata

Created: 2020-10-20T20:03:52Z
Modified: 2021-11-19T13:51:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-f8cm-364f-q9qh/GHSA-f8cm-364f-q9qh.json
CWE IDs: ["CWE-287", "CWE-613"]
Alternative ID: GHSA-f8cm-364f-q9qh
Finding: F076
Auto approve: 1