cvelistv5 - cve-2022-31000

CVE-2022-31000 (GCVE-0-2022-31000)

Vulnerability from cvelistv5 – Published: 2022-06-01 17:25 – Updated: 2025-04-22 17:55

Summary

solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.

Severity ?

2.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/solidusio/solidus/security/adv…	x_refsource_CONFIRM
	https://github.com/solidusio/solidus/commit/de796…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	solidusio	solidus	Affected: < 2.11.16 Affected: >= 3.0.0, < 3.0.6 Affected: >= 3.1.0, < 3.1.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:03:40.214Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-31000",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-22T15:46:02.644442Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-22T17:55:17.777Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "solidus",
          "vendor": "solidusio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 3.1.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-01T17:25:11.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
        }
      ],
      "source": {
        "advisory": "GHSA-8639-qx56-r428",
        "discovery": "UNKNOWN"
      },
      "title": "CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31000",
          "STATE": "PUBLIC",
          "TITLE": "CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "solidus",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 2.11.16"
                          },
                          {
                            "version_value": "\u003e= 3.0.0, \u003c 3.0.6"
                          },
                          {
                            "version_value": "\u003e= 3.1.0, \u003c 3.1.6"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "solidusio"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428",
              "refsource": "CONFIRM",
              "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
            },
            {
              "name": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
              "refsource": "MISC",
              "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-8639-qx56-r428",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-31000",
    "datePublished": "2022-06-01T17:25:11.000Z",
    "dateReserved": "2022-05-18T00:00:00.000Z",
    "dateUpdated": "2025-04-22T17:55:17.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.11.16\", \"matchCriteriaId\": \"6A5D9F81-FC48-4924-9C43-2D769567A39C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndExcluding\": \"3.0.5\", \"matchCriteriaId\": \"B58D450A-ADBF-4E0F-9C11-B11752ADE39E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.1.0\", \"versionEndExcluding\": \"3.1.6\", \"matchCriteriaId\": \"09243C20-0699-4273-A7B9-C2DE53E062E8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.\"}, {\"lang\": \"es\", \"value\": \"solidus_backend es la interfaz de administraci\\u00f3n del framework de comercio electr\\u00f3nico Solidus. Las versiones anteriores a 3.1.6, 3.0.6 y 2.11.16, contienen una vulnerabilidad de tipo cross-site request forgery (CSRF). La vulnerabilidad permite a atacantes cambiar el estado de los ajustes de un pedido si presentan su n\\u00famero, y la ejecuci\\u00f3n ocurre en el ordenador de un administrador de la tienda. Los usuarios deben actualizar a solidus_backend versiones 3.1.6, 3.0.6 o 2.11.16 para recibir el parche\"}]",
      "id": "CVE-2022-31000",
      "lastModified": "2024-11-21T07:03:41.387",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 2.3, \"baseSeverity\": \"LOW\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2022-06-01T18:15:07.873",
      "references": "[{\"url\": \"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-31000\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-01T18:15:07.873\",\"lastModified\":\"2024-11-21T07:03:41.387\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.\"},{\"lang\":\"es\",\"value\":\"solidus_backend es la interfaz de administraci\u00f3n del framework de comercio electr\u00f3nico Solidus. Las versiones anteriores a 3.1.6, 3.0.6 y 2.11.16, contienen una vulnerabilidad de tipo cross-site request forgery (CSRF). La vulnerabilidad permite a atacantes cambiar el estado de los ajustes de un pedido si presentan su n\u00famero, y la ejecuci\u00f3n ocurre en el ordenador de un administrador de la tienda. Los usuarios deben actualizar a solidus_backend versiones 3.1.6, 3.0.6 o 2.11.16 para recibir el parche\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.11.16\",\"matchCriteriaId\":\"6A5D9F81-FC48-4924-9C43-2D769567A39C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.5\",\"matchCriteriaId\":\"B58D450A-ADBF-4E0F-9C11-B11752ADE39E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.1.0\",\"versionEndExcluding\":\"3.1.6\",\"matchCriteriaId\":\"09243C20-0699-4273-A7B9-C2DE53E062E8\"}]}]}],\"references\":[{\"url\":\"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"product\": \"solidus\", \"vendor\": \"solidusio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.11.16\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 3.0.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 3.1.6\"}]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"NONE\", \"baseScore\": 2.3, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N\", \"version\": \"3.1\"}}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"dateUpdated\": \"2022-06-01T17:25:11.000Z\", \"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\"}, \"references\": [{\"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\"}, {\"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\"}], \"source\": {\"advisory\": \"GHSA-8639-qx56-r428\", \"discovery\": \"UNKNOWN\"}, \"title\": \"CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend\", \"x_legacyV4Record\": {\"CVE_data_meta\": {\"ASSIGNER\": \"security-advisories@github.com\", \"ID\": \"CVE-2022-31000\", \"STATE\": \"PUBLIC\", \"TITLE\": \"CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend\"}, \"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"product_name\": \"solidus\", \"version\": {\"version_data\": [{\"version_value\": \"\u003c 2.11.16\"}, {\"version_value\": \"\u003e= 3.0.0, \u003c 3.0.6\"}, {\"version_value\": \"\u003e= 3.1.0, \u003c 3.1.6\"}]}}]}, \"vendor_name\": \"solidusio\"}]}}, \"data_format\": \"MITRE\", \"data_type\": \"CVE\", \"data_version\": \"4.0\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.\"}]}, \"impact\": {\"cvss\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"LOCAL\", \"availabilityImpact\": \"NONE\", \"baseScore\": 2.3, \"baseSeverity\": \"LOW\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"HIGH\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N\", \"version\": \"3.1\"}}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}]}, \"references\": {\"reference_data\": [{\"name\": \"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\", \"refsource\": \"CONFIRM\", \"url\": \"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\"}, {\"name\": \"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\", \"refsource\": \"MISC\", \"url\": \"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\"}]}, \"source\": {\"advisory\": \"GHSA-8639-qx56-r428\", \"discovery\": \"UNKNOWN\"}}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T07:03:40.214Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428\"}, {\"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-31000\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:46:02.644442Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:46:04.364Z\"}}]}",
      "cveMetadata": "{\"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"cveId\": \"CVE-2022-31000\", \"datePublished\": \"2022-06-01T17:25:11.000Z\", \"dateReserved\": \"2022-05-18T00:00:00.000Z\", \"dateUpdated\": \"2025-04-22T17:55:17.777Z\", \"state\": \"PUBLISHED\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2022-31000

Vulnerability from gsd - Updated: 2022-06-01 00:00

Details

### Impact CSRF vulnerability allowing attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer. Reproduction steps: - Take an order's number. - Log in as an administrator. - Visit that order's adjustments section (_Orders -> {Click on number} -> Adjustments_) and check that its adjustments are finalized (closed padlock under the **State** column). - On another tab, visit `{your_site_url}/admin/orders/{order_number}/adjustments/unfinalize`. - Notice how the adjustments are unfinalized (open padlock), even if the previous was a `GET` request which could have been linked from any other site. - Visit `{your_site_url}/admin/orders/{order_number}/adjustments/finalize`. - Notice how the adjustments are again finalized. That happened because both routes were handled as `GET` requests, which are skipped by Rails anti-forgery protection. ### Patches Users should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use. ### References - [Rails CSRF protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html).

Aliases

CVE-2022-31000

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-31000",
    "description": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.",
    "id": "GSD-2022-31000"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "solidus_backend",
            "purl": "pkg:gem/solidus_backend"
          }
        }
      ],
      "aliases": [
        "CVE-2022-31000",
        "GHSA-8639-qx56-r428"
      ],
      "details": "### Impact\nCSRF vulnerability allowing attackers to change the state of an order\u0027s adjustments\nif they hold its number, and the execution happens on a store administrator\u0027s computer.\n\nReproduction steps:\n- Take an order\u0027s number.\n- Log in as an administrator.\n- Visit that order\u0027s adjustments section (_Orders -\u003e {Click on number} -\u003e Adjustments_) and check that its adjustments are finalized (closed padlock under the **State** column).\n- On another tab, visit `{your_site_url}/admin/orders/{order_number}/adjustments/unfinalize`.\n- Notice how the adjustments are unfinalized (open padlock), even if the previous was a `GET` request which could have been linked from any other site.\n- Visit `{your_site_url}/admin/orders/{order_number}/adjustments/finalize`.\n- Notice how the adjustments are again finalized.\n\nThat happened because both routes were handled as `GET` requests, which are skipped by Rails anti-forgery protection.\n\n### Patches\nUsers should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use.\n\n### References\n- [Rails CSRF protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html).\n",
      "id": "GSD-2022-31000",
      "modified": "2022-06-01T00:00:00.000Z",
      "published": "2022-06-01T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
        },
        {
          "type": "WEB",
          "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 2.3,
          "type": "CVSS_V3"
        }
      ],
      "summary": "CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31000",
        "STATE": "PUBLIC",
        "TITLE": "CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "solidus",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.11.16"
                        },
                        {
                          "version_value": "\u003e= 3.0.0, \u003c 3.0.6"
                        },
                        {
                          "version_value": "\u003e= 3.1.0, \u003c 3.1.6"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "solidusio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428",
            "refsource": "CONFIRM",
            "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
          },
          {
            "name": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
            "refsource": "MISC",
            "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-8639-qx56-r428",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-31000",
      "cvss_v3": 2.3,
      "date": "2022-06-01",
      "description": "### Impact\nCSRF vulnerability allowing attackers to change the state of an order\u0027s adjustments\nif they hold its number, and the execution happens on a store administrator\u0027s computer.\n\nReproduction steps:\n- Take an order\u0027s number.\n- Log in as an administrator.\n- Visit that order\u0027s adjustments section (_Orders -\u003e {Click on number} -\u003e Adjustments_) and check that its adjustments are finalized (closed padlock under the **State** column).\n- On another tab, visit `{your_site_url}/admin/orders/{order_number}/adjustments/unfinalize`.\n- Notice how the adjustments are unfinalized (open padlock), even if the previous was a `GET` request which could have been linked from any other site.\n- Visit `{your_site_url}/admin/orders/{order_number}/adjustments/finalize`.\n- Notice how the adjustments are again finalized.\n\nThat happened because both routes were handled as `GET` requests, which are skipped by Rails anti-forgery protection.\n\n### Patches\nUsers should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use.\n\n### References\n- [Rails CSRF protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html).\n",
      "gem": "solidus_backend",
      "ghsa": "8639-qx56-r428",
      "patched_versions": [
        "~\u003e 2.11.16",
        "~\u003e 3.0.6",
        "\u003e= 3.1.6"
      ],
      "related": {
        "url": [
          "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
        ]
      },
      "title": "CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend",
      "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.11.16||\u003e=3.0.0 \u003c3.0.5||\u003e=3.1.0 \u003c3.1.6",
          "affected_versions": "All versions starting from 3.0.0 before 3.0.5, all versions starting from 3.1.0 before 3.1.6, all versions before 2.11.16",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2022-06-08",
          "description": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.",
          "fixed_versions": [
            "2.11.16",
            "3.0.5",
            "3.1.6"
          ],
          "identifier": "CVE-2022-31000",
          "identifiers": [
            "CVE-2022-31000",
            "GHSA-8639-qx56-r428"
          ],
          "not_impacted": "",
          "package_slug": "gem/solidus",
          "pubdate": "2022-06-01",
          "solution": "Upgrade to versions 2.11.16, 3.0.5, 3.1.6 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31000",
            "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
            "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
          ],
          "uuid": "8146cf10-b241-49f8-89a3-53449ba12cd6"
        },
        {
          "affected_range": "\u003c2.11.16||\u003e=3.0.0 \u003c3.0.5||\u003e=3.1.0 \u003c3.1.6",
          "affected_versions": "All versions starting from 3.0.0 before 3.0.5, all versions starting from 3.1.0 before 3.1.6, all versions before 2.11.16",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2022-06-08",
          "description": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.",
          "fixed_versions": [
            "2.11.16",
            "3.0.5",
            "3.1.6"
          ],
          "identifier": "CVE-2022-31000",
          "identifiers": [
            "CVE-2022-31000",
            "GHSA-8639-qx56-r428"
          ],
          "not_impacted": "",
          "package_slug": "gem/solidus_api",
          "pubdate": "2022-06-01",
          "solution": "Upgrade to versions 2.11.16, 3.0.5, 3.1.6 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31000",
            "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
            "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
          ],
          "uuid": "49b6a9e9-e1ad-40b6-b99b-2f28d72b2669"
        },
        {
          "affected_range": "\u003c2.11.16||\u003e=3.0.0 \u003c3.0.6||\u003e=3.1.0 \u003c3.1.6",
          "affected_versions": "All versions before 2.11.16, all versions starting from 3.0.0 before 3.0.6, all versions starting from 3.1.0 before 3.1.6",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2022-06-01",
          "description": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.",
          "fixed_versions": [
            "2.11.16",
            "3.0.6",
            "3.1.6"
          ],
          "identifier": "CVE-2022-31000",
          "identifiers": [
            "GHSA-8639-qx56-r428",
            "CVE-2022-31000"
          ],
          "not_impacted": "All versions starting from 2.11.16 before 3.0.0, all versions starting from 3.0.6 before 3.1.0, all versions starting from 3.1.6",
          "package_slug": "gem/solidus_backend",
          "pubdate": "2022-06-01",
          "solution": "Upgrade to versions 2.11.16, 3.0.6, 3.1.6 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31000",
            "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
            "https://github.com/advisories/GHSA-8639-qx56-r428"
          ],
          "uuid": "19fc76f4-c6c3-4509-adb5-9f4657429a55"
        },
        {
          "affected_range": "\u003c2.11.16||\u003e=3.0.0 \u003c3.0.5||\u003e=3.1.0 \u003c3.1.6",
          "affected_versions": "All versions starting from 3.0.0 before 3.0.5, all versions starting from 3.1.0 before 3.1.6, all versions before 2.11.16",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2022-06-08",
          "description": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.",
          "fixed_versions": [
            "2.11.16",
            "3.0.5",
            "3.1.6"
          ],
          "identifier": "CVE-2022-31000",
          "identifiers": [
            "CVE-2022-31000",
            "GHSA-8639-qx56-r428"
          ],
          "not_impacted": "",
          "package_slug": "gem/solidus_core",
          "pubdate": "2022-06-01",
          "solution": "Upgrade to versions 2.11.16, 3.0.5, 3.1.6 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31000",
            "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
            "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
          ],
          "uuid": "3b628df7-ce1c-457a-95c0-a1492cec64f6"
        },
        {
          "affected_range": "\u003c2.11.16||\u003e=3.0.0 \u003c3.0.5||\u003e=3.1.0 \u003c3.1.6",
          "affected_versions": "All versions starting from 3.0.0 before 3.0.5, all versions starting from 3.1.0 before 3.1.6, all versions before 2.11.16",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2022-06-08",
          "description": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch.",
          "fixed_versions": [
            "2.11.16",
            "3.0.5",
            "3.1.6"
          ],
          "identifier": "CVE-2022-31000",
          "identifiers": [
            "CVE-2022-31000",
            "GHSA-8639-qx56-r428"
          ],
          "not_impacted": "",
          "package_slug": "gem/solidus_frontend",
          "pubdate": "2022-06-01",
          "solution": "Upgrade to versions 2.11.16, 3.0.5, 3.1.6 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-31000",
            "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
            "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
          ],
          "uuid": "e2d910ad-ae8d-47b1-ba4b-01c02617b94c"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.0.5",
                "versionStartIncluding": "3.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "3.1.6",
                "versionStartIncluding": "3.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.11.16",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31000"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
            },
            {
              "name": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-06-08T20:13Z",
      "publishedDate": "2022-06-01T18:15Z"
    }
  }
}

FKIE_CVE-2022-31000

Vulnerability from fkie_nvd - Published: 2022-06-01 18:15 - Updated: 2024-11-21 07:03

Severity ?

2.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428	Exploit, Third Party Advisory

Impacted products

Vendor	Product	Version
nebulab	solidus	*
nebulab	solidus	*
nebulab	solidus	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A5D9F81-FC48-4924-9C43-2D769567A39C",
              "versionEndExcluding": "2.11.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B58D450A-ADBF-4E0F-9C11-B11752ADE39E",
              "versionEndExcluding": "3.0.5",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nebulab:solidus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "09243C20-0699-4273-A7B9-C2DE53E062E8",
              "versionEndExcluding": "3.1.6",
              "versionStartIncluding": "3.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "solidus_backend is the admin interface for the Solidus e-commerce framework. Versions prior to 3.1.6, 3.0.6, and 2.11.16 contain a cross-site request forgery (CSRF) vulnerability. The vulnerability allows attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer. Users should upgrade to solidus_backend 3.1.6, 3.0.6, or 2.11.16 to receive a patch."
    },
    {
      "lang": "es",
      "value": "solidus_backend es la interfaz de administraci\u00f3n del framework de comercio electr\u00f3nico Solidus. Las versiones anteriores a 3.1.6, 3.0.6 y 2.11.16, contienen una vulnerabilidad de tipo cross-site request forgery (CSRF). La vulnerabilidad permite a atacantes cambiar el estado de los ajustes de un pedido si presentan su n\u00famero, y la ejecuci\u00f3n ocurre en el ordenador de un administrador de la tienda. Los usuarios deben actualizar a solidus_backend versiones 3.1.6, 3.0.6 o 2.11.16 para recibir el parche"
    }
  ],
  "id": "CVE-2022-31000",
  "lastModified": "2024-11-21T07:03:41.387",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 2.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-06-01T18:15:07.873",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-8639-QX56-R428

Vulnerability from github – Published: 2022-06-01 20:26 – Updated: 2022-06-01 20:26

Summary

CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend

Details

Impact

CSRF vulnerability allowing attackers to change the state of an order's adjustments if they hold its number, and the execution happens on a store administrator's computer.

Reproduction steps: - Take an order's number. - Log in as an administrator. - Visit that order's adjustments section (Orders -> {Click on number} -> Adjustments) and check that its adjustments are finalized (closed padlock under the State column). - On another tab, visit {your_site_url}/admin/orders/{order_number}/adjustments/unfinalize. - Notice how the adjustments are unfinalized (open padlock), even if the previous was a GET request which could have been linked from any other site. - Visit {your_site_url}/admin/orders/{order_number}/adjustments/finalize. - Notice how the adjustments are again finalized.

That happened because both routes were handled as GET requests, which are skipped by Rails anti-forgery protection.

Patches

Users should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use.

References

Rails CSRF protection.

For more information

If you have any questions or comments about this advisory:

Open an issue or a discussion in Solidus.
Email us at security@solidus.io
Contact the core team on Slack

Severity ?

2.3 (Low)


                  
                    CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "solidus_backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "solidus_backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "solidus_backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31000"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-01T20:26:37Z",
    "nvd_published_at": "2022-06-01T18:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\nCSRF vulnerability allowing attackers to change the state of an order\u0027s adjustments if they hold its number, and the execution happens on a store administrator\u0027s computer.\n\nReproduction steps:\n- Take an order\u0027s number.\n- Log in as an administrator.\n- Visit that order\u0027s adjustments section (_Orders -\u003e {Click on number} -\u003e Adjustments_) and check that its adjustments are finalized (closed padlock under the **State** column).\n- On another tab, visit `{your_site_url}/admin/orders/{order_number}/adjustments/unfinalize`.\n- Notice how the adjustments are unfinalized (open padlock), even if the previous was a `GET` request which could have been linked from any other site.\n- Visit `{your_site_url}/admin/orders/{order_number}/adjustments/finalize`.\n- Notice how the adjustments are again finalized.\n\nThat happened because both routes were handled as `GET` requests, which are skipped by Rails anti-forgery protection.\n\n### Patches\nUsers should upgrade to solidus_backend v3.1.6, v3.0.6, or v2.11.16, depending on the major and minor versions in use.\n\n### References\n- [Rails CSRF protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html).\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an [issue](https://github.com/solidusio/solidus/issues) or a [discussion](https://github.com/solidusio/solidus/discussions) in Solidus.\n- Email us at [security@solidus.io](mailto:security@soliidus.io)\n- Contact the core team on [Slack](http://slack.solidus.io/)\n",
  "id": "GHSA-8639-qx56-r428",
  "modified": "2022-06-01T20:26:37Z",
  "published": "2022-06-01T20:26:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus/security/advisories/GHSA-8639-qx56-r428"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31000"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solidusio/solidus/commit/de796a2e0be7f154cae48b46e267501559d9716c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/solidus_backend/CVE-2022-31000.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/solidusio/solidus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-31000 (GCVE-0-2022-31000)

GSD-2022-31000

FKIE_CVE-2022-31000

GHSA-8639-QX56-R428

Impact

Patches

References

For more information

Tags

Sightings

Nomenclature