GHSA-55RF-8Q29-4G43
Vulnerability from github – Published: 2024-07-17 14:32 – Updated: 2024-07-17 19:13
VLAI?
Summary
Sylius has a security vulnerability via adjustments API endpoint
Details
Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
# config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%':
itemOperations:
shop_get:
controller: ApiPlatform\Core\Action\NotFoundAction
read: false
output: false
Or using XML configuration:
Copy the original configuration from vendor:
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
<!-- config/api_platform/Adjustment.xml -->
...
<itemOperation name="shop_get">
<attribute name="method">GET</attribute>
<attribute name="path">/shop/adjustments/{id}</attribute>
<attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
<attribute name="read">false</attribute>
<attribute name="output">false</attribute>
</itemOperation>
...
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0-alpha.1"
},
{
"fixed": "1.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40633"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T14:32:18Z",
"nvd_published_at": "2024-07-17T18:15:04Z",
"severity": "HIGH"
},
"details": "### Impact\nA security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. \n\n### Patches\nThe issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status.\n\n### Workarounds\n\nUsing YAML configuration:\n\nCreate `config/api_platform/Adjustment.yaml` file:\n\n```yaml\n# config/api_platform/Adjustment.yaml\n\n\u0027%sylius.model.adjustment.class%\u0027:\n itemOperations:\n shop_get:\n controller: ApiPlatform\\Core\\Action\\NotFoundAction\n read: false\n output: false\n```\n\nOr using XML configuration:\n\nCopy the original configuration from vendor:\n\n```bash\ncp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform\n```\n\nAnd change the `shop_get` operation in copied `config/api_platform/Adjustment.xml` file:\n\n```xml\n\u003c!-- config/api_platform/Adjustment.xml --\u003e\n\n...\n\u003citemOperation name=\"shop_get\"\u003e\n \u003cattribute name=\"method\"\u003eGET\u003c/attribute\u003e\n \u003cattribute name=\"path\"\u003e/shop/adjustments/{id}\u003c/attribute\u003e\n \u003cattribute name=\"controller\"\u003eApiPlatform\\Core\\Action\\NotFoundAction\u003c/attribute\u003e\n \u003cattribute name=\"read\"\u003efalse\u003c/attribute\u003e\n \u003cattribute name=\"output\"\u003efalse\u003c/attribute\u003e\n\u003c/itemOperation\u003e\n...\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n- Email us at [security@sylius.com](mailto:security@sylius.com)\n",
"id": "GHSA-55rf-8q29-4g43",
"modified": "2024-07-17T19:13:34Z",
"published": "2024-07-17T14:32:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40633"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/commit/d833b2871caa3b8d1f0a8207378bb778f0b90464"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sylius has a security vulnerability via adjustments API endpoint"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…