Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01NXJmLThxMjktNGc0M84AA9-g

Sylius has a security vulnerability via adjustments API endpoint

Impact

A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.

Patches

The issue is fixed in versions: 1.12.19, 1.13.4 and above. The /api/v2/shop/adjustments/{id} will always return 404 status.

Workarounds

Using YAML configuration:

Create config/api_platform/Adjustment.yaml file:

# config/api_platform/Adjustment.yaml

'%sylius.model.adjustment.class%':
    itemOperations:
        shop_get:
            controller: ApiPlatform\Core\Action\NotFoundAction
            read: false
            output: false

Or using XML configuration:

Copy the original configuration from vendor:

cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform

And change the shop_get operation in copied config/api_platform/Adjustment.xml file:

<!-- config/api_platform/Adjustment.xml -->

...
<itemOperation name="shop_get">
    <attribute name="method">GET</attribute>
    <attribute name="path">/shop/adjustments/{id}</attribute>
    <attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
    <attribute name="read">false</attribute>
    <attribute name="output">false</attribute>
</itemOperation>
...

For more information

If you have any questions or comments about this advisory:

Open an issue in Sylius issues
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-55rf-8q29-4g43
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NXJmLThxMjktNGc0M84AA9-g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 2 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-55rf-8q29-4g43, CVE-2024-40633
References:

Repository: https://github.com/Sylius/Sylius
Blast Radius: 21.6

Affected Packages

packagist:sylius/sylius

Dependent packages: 541
Dependent repositories: 748
Downloads: 4,327,592 total
Affected Version Ranges: >= 1.13.0-alpha.1, < 1.13.4, < 1.12.19
Fixed in: 1.13.4, 1.12.19
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.2.15, 1.2.16, 1.2.17, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.3.11, 1.3.12, 1.3.13, 1.3.14, 1.3.15, 1.3.16, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.8.12, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9, 1.9.10, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.10.8, 1.10.9, 1.10.10, 1.10.11, 1.10.12, 1.10.13, 1.10.14, 1.11.0, 1.11.1, 1.11.2, 1.11.3, 1.11.4, 1.11.5, 1.11.6, 1.11.7, 1.11.8, 1.11.9, 1.11.10, 1.11.11, 1.11.12, 1.11.13, 1.11.14, 1.11.15, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.12.6, 1.12.7, 1.12.8, 1.12.9, 1.12.10, 1.12.11, 1.12.12, 1.12.13, 1.12.14, 1.12.15, 1.12.16, 1.12.17, 1.12.18, 1.13.0, 1.13.0-alpha.1, 1.13.0-alpha.2, 1.13.0-beta.1, 1.13.0-rc.1, 1.13.1, 1.13.2, 1.13.3
All unaffected versions: 1.12.19, 1.13.4, 1.13.5, 1.13.6, 1.13.7