diff --git a/gems/phlex/GHSA-w67g-2h6v-vjgq.yml b/gems/phlex/GHSA-w67g-2h6v-vjgq.yml index fd4cc80009..20e873114c 100644 --- a/gems/phlex/GHSA-w67g-2h6v-vjgq.yml +++ b/gems/phlex/GHSA-w67g-2h6v-vjgq.yml @@ -60,4 +60,5 @@ related: - https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d - https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac - https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1 + - https://advisories.gitlab.com/pkg/gem/phlex/GHSA-w67g-2h6v-vjgq - https://github.com/advisories/GHSA-w67g-2h6v-vjgq diff --git a/gems/spree_api/GHSA-87fh-rc96-6fr6.yml b/gems/spree_api/CVE-2026-25758.yml similarity index 91% rename from gems/spree_api/GHSA-87fh-rc96-6fr6.yml rename to gems/spree_api/CVE-2026-25758.yml index 30ae64e9c3..dd6e47a8cc 100644 --- a/gems/spree_api/GHSA-87fh-rc96-6fr6.yml +++ b/gems/spree_api/CVE-2026-25758.yml @@ -1,5 +1,6 @@ --- gem: spree_api +cve: 2026-25758 ghsa: 87fh-rc96-6fr6 url: https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 title: Unauthenticated Spree Commerce users can access all guest addresses @@ -17,8 +18,8 @@ description: | ### Impact - This issue may lead to disclosure of PII of guest users (including - names, addresses and phone numbers). + This issue may lead to disclosure of PII of guest users + (including names, addresses and phone numbers). ### Unauthenticated users can access all guest addresses (`GHSL-2026-027`) @@ -54,8 +55,8 @@ description: | #### Impact - This issue may lead to disclosure of PII of guest users (including - names, addresses and phone numbers). + This issue may lead to disclosure of PII of guest users + (including names, addresses and phone numbers). #### CWEs @@ -64,8 +65,7 @@ description: | ### Credit - This issue was discovered with the [GitHub Security Lab Taskflow - Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) + This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent) and manually verified by GHSL team members [@p- (Peter Stöckli)](https://github.com/p-) and [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo). @@ -74,6 +74,7 @@ description: | This report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). +cvss_v4: 7.7 patched_versions: - "~> 4.10.3" - "~> 5.0.8" @@ -82,6 +83,7 @@ patched_versions: - ">= 5.3.2" related: url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-25758 - https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 - https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734 - https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f @@ -92,6 +94,5 @@ related: - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254 - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48 - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96 + - https://advisories.gitlab.com/pkg/gem/spree_api/CVE-2026-25758 - https://github.com/advisories/GHSA-87fh-rc96-6fr6 -notes: | - - CVE-2026-25758 in GHSA Advisory. diff --git a/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml b/gems/spree_storefront/CVE-2026-25757.yml similarity index 74% rename from gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml rename to gems/spree_storefront/CVE-2026-25757.yml index 0cb68cfde8..0596d726db 100644 --- a/gems/spree_storefront/GHSA-p6pv-q7rc-g4h9.yml +++ b/gems/spree_storefront/CVE-2026-25757.yml @@ -1,5 +1,6 @@ --- gem: spree_storefront +cve: 2026-25757 ghsa: p6pv-q7rc-g4h9 url: https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 title: Unauthenticated Spree Commerce users can view completed @@ -12,7 +13,8 @@ description: | guest orders by order number alone, without requiring the associated order token. - Order lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14): + Order lookup without enforcing token requirement in + [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14): ```ruby @order = complete_order_finder.new(number: params[:id], @@ -20,6 +22,7 @@ description: | ``` Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8): + ```ruby def authorize_access return true if @order.user_id.nil? @@ -30,13 +33,13 @@ description: | If the attacker is in possession of a leaked Order ID, they might look it up directly via this API. - Alternatively, brute forcing all or parts of the possible - Order IDs might be feasible for an attacker. (The Order IDs - themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), - but with relatively low entropy: by default an order ID has a - length of 9 and a base of 10, that would require an attacker to - perform 1 billion requests to gather all guest orders. (At an - assumed constant rate of 100 requests per second it would take 115 days.) + Alternatively, brute forcing all or parts of the possible Order IDs + might be feasible for an attacker. (The Order IDs themselves are + [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45), + but with relatively low entropy: by default an order ID has a length + of 9 and a base of 10, that would require an attacker to perform + 1 billion requests to gather all guest orders. (At an assumed + constant rate of 100 requests per second it would take 115 days.) #### Impact @@ -58,6 +61,7 @@ description: | This report is subject to a 90-day disclosure deadline, as described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). +cvss_v4: 7.7 patched_versions: - "~> 5.0.8" - "~> 5.1.10" @@ -65,6 +69,7 @@ patched_versions: - ">= 5.3.2" related: url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-25757 - https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 - https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab - https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be @@ -73,6 +78,5 @@ related: - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 + - https://advisories.gitlab.com/pkg/gem/spree_storefront/CVE-2026-25757 - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9 -notes: | - - CVE-2026-25757 in GHSA advisory.