ghsa-55rf-8q29-4g43
Vulnerability from github
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
```yaml
config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%': itemOperations: shop_get: controller: ApiPlatform\Core\Action\NotFoundAction read: false output: false ```
Or using XML configuration:
Copy the original configuration from vendor:
bash
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
```xml
... GET /shop/adjustments/{id} ApiPlatform\Core\Action\NotFoundAction false false ... ```
For more information
If you have any questions or comments about this advisory:
- Open an issue in Sylius issues
- Email us at security@sylius.com
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "sylius/sylius"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0-alpha.1"
},
{
"fixed": "1.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-40633"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-17T14:32:18Z",
"nvd_published_at": "2024-07-17T18:15:04Z",
"severity": "HIGH"
},
"details": "### Impact\nA security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. \n\n### Patches\nThe issue is fixed in versions: 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status.\n\n### Workarounds\n\nUsing YAML configuration:\n\nCreate `config/api_platform/Adjustment.yaml` file:\n\n```yaml\n# config/api_platform/Adjustment.yaml\n\n\u0027%sylius.model.adjustment.class%\u0027:\n itemOperations:\n shop_get:\n controller: ApiPlatform\\Core\\Action\\NotFoundAction\n read: false\n output: false\n```\n\nOr using XML configuration:\n\nCopy the original configuration from vendor:\n\n```bash\ncp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform\n```\n\nAnd change the `shop_get` operation in copied `config/api_platform/Adjustment.xml` file:\n\n```xml\n\u003c!-- config/api_platform/Adjustment.xml --\u003e\n\n...\n\u003citemOperation name=\"shop_get\"\u003e\n \u003cattribute name=\"method\"\u003eGET\u003c/attribute\u003e\n \u003cattribute name=\"path\"\u003e/shop/adjustments/{id}\u003c/attribute\u003e\n \u003cattribute name=\"controller\"\u003eApiPlatform\\Core\\Action\\NotFoundAction\u003c/attribute\u003e\n \u003cattribute name=\"read\"\u003efalse\u003c/attribute\u003e\n \u003cattribute name=\"output\"\u003efalse\u003c/attribute\u003e\n\u003c/itemOperation\u003e\n...\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)\n- Email us at [security@sylius.com](mailto:security@sylius.com)\n",
"id": "GHSA-55rf-8q29-4g43",
"modified": "2024-07-17T19:13:34Z",
"published": "2024-07-17T14:32:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29-4g43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40633"
},
{
"type": "WEB",
"url": "https://github.com/Sylius/Sylius/commit/d833b2871caa3b8d1f0a8207378bb778f0b90464"
},
{
"type": "PACKAGE",
"url": "https://github.com/Sylius/Sylius"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Sylius has a security vulnerability via adjustments API endpoint"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.