spree_api 3.7.7
1 security vulnerability
found in version
3.7.7
Authorization bypass in Spree
high severity CVE-2020-26223
high severity
CVE-2020-26223
Patched versions:
~> 3.7.11, ~> 4.0.4, >= 4.1.11
Unaffected versions:
< 3.7.0
Impact
The perpetrator could query the [API v2 Order Status] (https://guides.spreecommerce.org/api/v2/storefront#tag/Order-Status) endpoint with an empty string passed as an Order token
Patches
Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree < 3.7 are not affected.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.