Spree: Multiple Security Vulnerabilities
55 views
Skip to first unread message
m...@state.io
Mar 8, 2013, 3:30:16 PM3/8/13
to rubysec-...@googlegroups.com
Hello,
- Spree Roles Mass-assignment Vulnerability
The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.
- JSON Gem Object Creation Vulnerability
The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.
- Unsafe Use of Constantize in Admin
The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.
Thanks to Gabriel Quadros of Conviso Application Security for reporting this.
---
Multiple vulnerabilities in Spree have been brought to our attention. Information from their announcement below.
---
- Spree Roles Mass-assignment Vulnerability
The first vulnerability reported pertains to a mass-assignment vulnerability with spree roles. By passing the right parameters while updating a user, that user is able to assign any existing role to themselves. This is fixed in the latest release. You are strongly encouraged to upgrade if you are using Spree 1.1.x, 1.2.x or 1.3.×.
- JSON Gem Object Creation Vulnerability
The second is related to an Unsafe Object Creation vulnerability found in the JSON gem. This vulnerability potentially affects all versions of Spree that are running an outdated JSON gem.
- Unsafe Use of Constantize in Admin
The third vulnerability concerns unsafe reflections in parts of the Spree admin and affects any version of Spree >= 1.0.0. It is possible to instantiate an object of the user’s choice by passing the correct parameters to certain methods. As this vulnerability only pertains to the admin interface, we have not released a new version of Spree with this fix. However, this fix is available on Spree’s master branch as commit 70092eb.
Thanks to Gabriel Quadros of Conviso Application Security for reporting this.
---
More information here: http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
Reply all
Reply to author
Forward
0 new messages