spree_api 3.7.1

1 security vulnerability found in version 3.7.1

Authorization bypass in Spree

high severity CVE-2020-26223
high severity CVE-2020-26223
Patched versions: ~> 3.7.11, ~> 4.0.4, >= 4.1.11
Unaffected versions: < 3.7.0

Impact

The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token

Patches

Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.