We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker to gain the security token for an order. The exploit would require the attacker to randomly guess valid order numbers, but once achieved, the technique would reveal private customer information associated with the order. Credit card details are never stored in Spree and were never at risk by this exploit. Users are advised to perform an immediate upgrade.
We have officially released the following new Spree versions: 2.0.10, 2.1.6, and 2.2.1. These versions also contain several other minor fixes. To see a complete list of changes please view the compare pages:
Tax calculation corrections
Also worth noting is that on the 2-2-stable branch, there have been some minor tweaks to improve the tax calculation there. In certain circumstances, the tax amount that was applied was incorrect. For information about that, please see Issue #4327.
Details on the security patch
We strongly advise everyone to upgrade to the latest version of Spree available for their stores. For example, if you’re running v2.0.9, please upgrade to v2.0.10 immediately.
Alternatively, you can fork Spree to a local `vendor/gems/spree` directory within your application and apply the patch using one of these commands:
- 2-0-stable: git cherry-pick dc6f3b5b87f31e4f1ce7f8a5ef8378abbb3b16ea
- 2-1-stable: git cherry-pick 71807994b779fc921d494234aa16b6f081a6c2c4
- 2-2-stable: git cherry-pick ba4ab90dfb36a8bd25c465f763c977963821102b
Thanks to Michael Nowak from Taktsoft for following security procedures and reporting the issue privately to the security team via the email@example.com email. This allowed us to quickly verify the problem and to quickly prepare the necessary security patches for public release.
Future security announcements
Going forward, the best way to ensure you receive all security announcements is to subscribe to the spree security mailing list. The mailing list is very low traffic, and it receives the public notifications the moment the embargo is lifted. Security announcements will also continue to be announced via our blog and social media.