CVE-2020-15269

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.

### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. ### Workarounds In your project directory create a decorator file `app/controllers/spree/api/v2/base_controller_decotatror.rb` with contents: ```ruby module Spree module Api module V2 module BaseControllerDecorator private def spree_current_user return nil unless doorkeeper_token return @spree_current_user if @spree_current_user doorkeeper_authorize! @spree_current_user ||= ::Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id) end end end end Spree::Api::V2::BaseController.prepend(Spree::Api::V2::BaseControllerDecorator) ``` ### For more information If you have any questions or comments about this advisory: * Email us at [security@spreecommerce.org](mailto:security@spreecommerce.org)

### Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. ### Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. ### Workarounds In your project directory create a decorator file `app/controllers/spree/api/v2/base_controller_decotatror.rb` with contents: ```ruby module Spree module Api module V2 module BaseControllerDecorator private def spree_current_user return nil unless doorkeeper_token return @spree_current_user if @spree_current_user doorkeeper_authorize! @spree_current_user ||= ::Spree.user_class.find_by(id: doorkeeper_token.resource_owner_id) end end end end Spree::Api::V2::BaseController.prepend(Spree::Api::V2::BaseControllerDecorator) ``` ### For more information If you have any questions or comments about this advisory: * Email us at [security@spreecommerce.org](mailto:security@spreecommerce.org)

En Spree versiones anteriores a 3.7.11, 4.0.4 o 4.1.11, los tokens de usuario vencidos podrían ser usados para acceder a los endpoints de Storefront API versión v2. El problema está parcheado en las versiones 3.7.11, 4.0.4 y 4.1.11. Una solución alternativa sin actualizar es descrita en el aviso vinculado