diff --git a/gems/phlex/GHSA-w67g-2h6v-vjgq.yml b/gems/phlex/GHSA-w67g-2h6v-vjgq.yml index fd4cc80009..20e873114c 100644 --- a/gems/phlex/GHSA-w67g-2h6v-vjgq.yml +++ b/gems/phlex/GHSA-w67g-2h6v-vjgq.yml @@ -60,4 +60,5 @@ related: - https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d - https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac - https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1 + - https://advisories.gitlab.com/pkg/gem/phlex/GHSA-w67g-2h6v-vjgq - https://github.com/advisories/GHSA-w67g-2h6v-vjgq diff --git a/gems/spree_api/GHSA-87fh-rc96-6fr6.yml b/gems/spree_api/CVE-2026-25758.yml similarity index 91% rename from gems/spree_api/GHSA-87fh-rc96-6fr6.yml rename to gems/spree_api/CVE-2026-25758.yml index 30ae64e9c3..dd6e47a8cc 100644 --- a/gems/spree_api/GHSA-87fh-rc96-6fr6.yml +++ b/gems/spree_api/CVE-2026-25758.yml @@ -1,5 +1,6 @@ --- gem: spree_api +cve: 2026-25758 ghsa: 87fh-rc96-6fr6 url: https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 title: Unauthenticated Spree Commerce users can access all guest addresses @@ -17,8 +18,8 @@ description: | ### Impact - This issue may lead to disclosure of PII of guest users (including - names, addresses and phone numbers). + This issue may lead to disclosure of PII of guest users + (including names, addresses and phone numbers). ### Unauthenticated users can access all guest addresses (`GHSL-2026-027`) @@ -54,8 +55,8 @@ description: | #### Impact - This issue may lead to disclosure of PII of guest users (including - names, addresses and phone numbers). + This issue may lead to disclosure of PII of guest users + (including names, addresses and phone numbers). #### CWEs @@ -64,8 +65,7 @@ description: | ### Credit - This issue was discovered with the [GitHub Security Lab Taskflow - Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) + This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter Stöckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo). @@ -74,6 +74,7 @@ description: | This report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). +cvss_v4: 7.7 patched_versions: - "~> 4.10.3" - "~> 5.0.8" @@ -82,6 +83,7 @@ patched_versions: - ">= 5.3.2" related: url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-25758 - https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 - https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734 - https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f @@ -92,6 +94,5 @@ related: - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254 - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48 - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96 + - https://advisories.gitlab.com/pkg/gem/spree_api/CVE-2026-25758 - https://github.com/advisories/GHSA-87fh-rc96-6fr6 -notes: | - - CVE-2026-25758 in GHSA Advisory. diff --git a/gems/spree_storefront/CVE-2026-25757.yml b/gems/spree_storefront/CVE-2026-25757.yml new file mode 100644 index 0000000000..0596d726db --- /dev/null +++ b/gems/spree_storefront/CVE-2026-25757.yml @@ -0,0 +1,82 @@ +--- +gem: spree_storefront +cve: 2026-25757 +ghsa: p6pv-q7rc-g4h9 +url: https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 +title: Unauthenticated Spree Commerce users can view completed + guest orders by Order ID +date: 2026-02-05 +description: | + ### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`) + + The `OrdersController#show` action permits viewing completed + guest orders by order number alone, without requiring the + associated order token. + + Order lookup without enforcing token requirement in + [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14): + + ```ruby + @order = complete_order_finder.new(number: params[:id], + token: params[:token], store: current_store).execute.first + ``` + + Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8): + + ```ruby + def authorize_access + return true if @order.user_id.nil? + + @order.user == try_spree_current_user + end + ``` + + If the attacker is in possession of a leaked Order ID, they might + look it up directly via this API. + Alternatively, brute forcing all or parts of the possible Order IDs + might be feasible for an attacker. (The Order IDs themselves are + [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), + but with relatively low entropy: by default an order ID has a length + of 9 and a base of 10, that would require an attacker to perform + 1 billion requests to gather all guest orders. (At an assumed + constant rate of 100 requests per second it would take 115 days.) + + #### Impact + + This issue may lead to disclosure of PII of guest users + (including names, addresses and phone numbers). + + #### CWEs + + - CWE-639: Authorization Bypass Through User-Controlled Key + + ### Credit + + This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) + and manually verified by GHSL team members + [@p- (Peter Stöckli)](https://github.com/p-) and + [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo). + + ### Disclosure Policy + + This report is subject to a 90-day disclosure deadline, as + described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). +cvss_v4: 7.7 +patched_versions: + - "~> 5.0.8" + - "~> 5.1.10" + - "~> 5.2.7" + - ">= 5.3.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-25757 + - https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 + - https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab + - https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be + - https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d + - https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad + - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 + - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 + - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 + - https://advisories.gitlab.com/pkg/gem/spree_storefront/CVE-2026-25757 + - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9 diff --git a/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml b/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml index 0cb68cfde8..6f3aabd9c4 100644 --- a/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml +++ b/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml @@ -74,5 +74,6 @@ related: - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9 + - https://advisories.gitlab.com/pkg/gem/spree_storefront/GHSA-p6pv-q7rc-g4h9 notes: | - CVE-2026-25757 in GHSA advisory.