We have just released new Spree versions 2.2.9 & 2.1.12.
The primary focus of these releases was resolving security flaws in the API. While no user or credit card data could be exploited with this flaw, there is the potential to commit fraud by manipulating order prices. It is recommended that all Spree installations running 2.1.x, and 2.2.x upgrade as soon as possible.
Thanks to Jordan Brough for finding the issue, and providing a patch to resolve the issue.
Reporting Security Issues
Please do not announce potential security vulnerabilities in public. We have a dedicated email address firstname.lastname@example.org. We will work quickly to determine the severity of the issue and provide a fix for the appropriate versions. We will credit you with the discovery of this patch by naming you in a blog post.
If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:
$ git format-patch HEAD~1..HEAD —stdout > patch.txt
This command will generate a file called `patch.txt` with your changes. Please email a description of the patch along with the patch itself to email@example.com.
Older Versions of Spree
If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. While this security flaw only affects versions 2.1.x & 2.2.x we have already reached the end of life for official 2.0.x support. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.