Impact
A security vulnerability was discovered in the /api/v2/shop/adjustments/{id} endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.
Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above.
The /api/v2/shop/adjustments/{id} will always return 404 status.
Workarounds
Using YAML configuration:
Create config/api_platform/Adjustment.yaml file:
# config/api_platform/Adjustment.yaml
'%sylius.model.adjustment.class%':
itemOperations:
shop_get:
controller: ApiPlatform\Core\Action\NotFoundAction
read: false
output: false
Or using XML configuration:
Note: This is the only way of disabling the vulnerable endpoint for Sylius 1.9, as YAML configuration is not supported in that version.
Copy the original configuration from vendor:
# create directory if it doesn't exist
mkdir -p config/api_platform
cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform
And change the shop_get operation in copied config/api_platform/Adjustment.xml file:
<!-- config/api_platform/Adjustment.xml -->
...
<itemOperation name="shop_get">
<attribute name="method">GET</attribute>
<attribute name="path">/shop/adjustments/{id}</attribute>
<attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute>
<attribute name="read">false</attribute>
<attribute name="output">false</attribute>
</itemOperation>
...
Update your API platform paths config if needed so the new configuration file is loaded:
# config/packages/api_platform.yaml
api_platform:
mapping:
paths:
- '%kernel.project_dir%/vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources'
...
- '%kernel.project_dir%/config/api_platform'
For more information
If you have any questions or comments about this advisory:
References
Impact
A security vulnerability was discovered in the
/api/v2/shop/adjustments/{id}endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information.Patches
The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above.
The
/api/v2/shop/adjustments/{id}will always return404status.Workarounds
Using YAML configuration:
Create
config/api_platform/Adjustment.yamlfile:Or using XML configuration:
Copy the original configuration from vendor:
# create directory if it doesn't exist mkdir -p config/api_platform cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platformAnd change the
shop_getoperation in copiedconfig/api_platform/Adjustment.xmlfile:Update your API platform paths config if needed so the new configuration file is loaded:
For more information
If you have any questions or comments about this advisory:
References