Fluid Attacks Database

Description

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

Impact

The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints.

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version.

Workarounds

In your project directory create a decorator file app/controllers/spree/api/v2/base_controller_decotatror.rb with contents:

module Spree
  module Api
    module V2
      module BaseControllerDecorator
        private

        def spree_current_user
          return nil unless doorkeeper_token...

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	spree	>=0 <3.7.11 \|\| >=4.0.0 <4.0.4 \|\| >=4.1.0 <4.1.11	3.7.11, 4.0.4, 4.1.11

Aliases

1. CVE-2020-152692. NVD-2020-152693. OSV-2020-152694. GHSA-f8cm-364f-q9qh5. GCVE-2020-15269

References

1. https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh2. https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a8473. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree/CVE-2020-15269.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.