We have just issued several new versions of Spree that address a critical security vulnerability present in all versions of Spree 1.2.x+.
An attacker with API access is able to execute arbitrary files on the remote system. It is likely that this could be leveraged to gain admin priviledges, disclose the contents of files or execute arbitrary code.
We recommend all users upgrade immediately, but this is especially dangerous to stores which provide API access to customers.
If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150728.rb as a quick workaround:
Spree::Api::TaxonomiesController.before_filter do params[:set] = nil if params[:set] != "nested" end
If using an unsupported version, such as, 1.2.x, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.
Previous security releases
If you have not already read about and patched last weeks security release it’s urgent you immediately upgrade to these latest releases or patch the previous security vulnerability as well. While this current security issue does require a valid API key the previous security issue does not making all un-patched Spree stores vulnerable.
Thanks to John Hawthorn again from Free Running Tech for reporting the issue privately after his recent security audit via the firstname.lastname@example.org email. This allowed us to verify the problem and prepare the necessary security patches for public release.
To see a complete list of changes please view the compare pages: