Headline
GHSA-55rf-8q29-4g43: Sylius has a security vulnerability via adjustments API endpoint
Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
# config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%':
itemOperations:
shop_get:
controller: ApiPlatform\Core\Action\NotFoundAction
read: false
output: false
Or using XML configuration:
Copy the original configuration from vendor:
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
<!-- config/api_platform/Adjustment.xml -->
...
<itemOperation name="shop_get">
<attribute name="method">GET</attribute>
<attribute name="path">/shop/adjustments/{id}</attribute>
<attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
<attribute name="read">false</attribute>
<attribute name="output">false</attribute>
</itemOperation>
...
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at [email protected]
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-40633
Sylius has a security vulnerability via adjustments API endpoint
High severity GitHub Reviewed Published Jul 17, 2024 in Sylius/Sylius • Updated Jul 17, 2024
Package
composer sylius/sylius (Composer)
Affected versions
< 1.12.19
>= 1.13.0-alpha.1, < 1.13.4
Patched versions
1.12.19
1.13.4
Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%’: itemOperations: shop_get: controller: ApiPlatform\Core\Action\NotFoundAction read: false output: false
Or using XML configuration:
Copy the original configuration from vendor:
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
<!-- config/api_platform/Adjustment.xml -->
… <itemOperation name="shop_get"> <attribute name="method">GET</attribute> <attribute name="path">/shop/adjustments/{id}</attribute> <attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute> <attribute name="read">false</attribute> <attribute name="output">false</attribute> </itemOperation> …
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at [email protected]
References
- GHSA-55rf-8q29-4g43
- Sylius/Sylius@d833b28
Published to the GitHub Advisory Database
Jul 17, 2024
Last updated
Jul 17, 2024