CVE-2020-15269 - In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Store

CVE-2020-15269

Summary

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

References

https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847
https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh

Vulnerable Configurations

cpe:2.3:a:sparksolutions:spree:*:*:*:*:*:*:*:*
cpe:2.3:a:sparksolutions:spree:*:*:*:*:*:*:*:*

CVSS

Base:	6.4 (as of 18-11-2021 - 16:21)
Impact:
Exploitability:

CWE

CWE-613

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:N

refmap via4

confirm	https://github.com/spree/spree/security/advisories/GHSA-f8cm-364f-q9qh
misc	https://github.com/spree/spree/commit/e43643abfe51f54bd9208dd02298b366e9b9a847

Last major update

18-11-2021 - 16:21

Published

20-10-2020 - 21:15

Last modified

18-11-2021 - 16:21