GHSA-RPXH-VG2X-526V

Vulnerability from github – Published: 2021-06-29 03:12 – Updated: 2021-06-30 17:59
VLAI?
Summary
List of order ids, number, items total and token value exposed for unauthorized uses via new API
Details

Impact

Part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time.

Patches

The problem has been patched at Sylius 1.9.5 and 1.10.0

Workarounds

There are a few ways to fix this without updating the code.

The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. In order to achieve it one has to add the configuration in config/packages/security.yaml:

    access_control:
        # ... 
        - { path: "%sylius.security.new_api_shop_regex%/orders", role: IS_AUTHENTICATED_ANONYMOUSLY, methods: [POST] }
        - { path: "%sylius.security.new_api_shop_regex%/orders", role: ROLE_USER, methods: [GET] }

This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only.

The second possible solution is to decorate the \Sylius\Bundle\ApiBundle\Doctrine\QueryCollectionExtension\OrdersByLoggedInUserExtension and throw Symfony\Component\Security\Core\Exception\AccessDeniedException if the class is executed for unauthorized user.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "sylius/sylius"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-28T18:23:22Z",
    "nvd_published_at": "2021-06-28T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nPart of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. \n\n### Patches\n\nThe problem has been patched at Sylius 1.9.5 and 1.10.0\n\n### Workarounds\nThere are a few ways to fix this without updating the code. \n\nThe first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. In order to achieve it one has to add the configuration in `config/packages/security.yaml`:\n```yaml\n    access_control:\n        # ... \n        - { path: \"%sylius.security.new_api_shop_regex%/orders\", role: IS_AUTHENTICATED_ANONYMOUSLY, methods: [POST] }\n        - { path: \"%sylius.security.new_api_shop_regex%/orders\", role: ROLE_USER, methods: [GET] }\n```\nThis would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only.\n\nThe second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user.\n",
  "id": "GHSA-rpxh-vg2x-526v",
  "modified": "2021-06-30T17:59:43Z",
  "published": "2021-06-29T03:12:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32720"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/commit/21d509851559230d03292b2a635a6951748c2758"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/sylius/sylius"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "List of order ids, number, items total and token value exposed for unauthorized uses via new API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.