Spree Authenticated Insecure Direct Object Reference Vulnerability Allowing Address Information Retrieval

A vulnerability allowing authenticated users to exploit Insecure Direct Object Reference (IDOR) by accessing other users' address details through unauthorized order modifications. This issue affects Spree versions prior to 4.10.2, 5.0.7, 5.1.9, and 5.2.5. The vulnerability arises because the application fails to properly validate ownership of address identifiers when users edit their orders. Exploitation involves altering the address IDs in the order update requests to reference addresses belonging to other users, which the server then processes as if they were the attacker's own.

Impact

Successful exploitation allows an authenticated user to access and associate another user's address with their own order, potentially leading to unauthorized address modifications.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PATCH request to the '/api/v2/storefront/checkout' endpoint, including an order modification that references a bill or shipping address belonging to another user. The server will process this request and return the unauthorized address information in the response, demonstrating the IDOR vulnerability.

Remediation

Users can update to Spree versions 4.10.2, 5.0.7, 5.1.9, or 5.2.5, where this vulnerability has been patched.