CVE-2021-32720

{"id": "CVE-2021-32720", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2021-06-28T19:15:11.397", "references": [{"url": "https://github.com/Sylius/Sylius/releases/tag/v1.9.5", "tags": ["Release Notes", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-rpxh-vg2x-526v", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details (order ID, order number, items total, and token value) of all placed orders were exposed to unauthorized users. If exploited properly, a few additional information like the number of items in the cart and the date of the shipping may be fetched as well. This data seems to not be crucial nor is personal data, however, could be used for sociotechnical attacks or may expose a few details about shop condition to the third parties. The data possible to aggregate are the number of processed orders or their value in the moment of time. The problem has been patched at Sylius 1.9.5 and 1.10.0-RC.1. There are a few workarounds for the vulnerability. The first possible solution is to hide the problematic endpoints behind the firewall from not logged in users. This would put only the order list under the firewall and allow only authorized users to access it. Once a user is authorized, it will have access to theirs orders only. The second possible solution is to decorate the `\\Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension` and throw `Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException` if the class is executed for unauthorized user."}, {"lang": "es", "value": "Sylius es una plataforma Open Source eCommerce sobre Symfony. En las versiones de Sylius anteriores a 1.9.5 y 1.10.0-RC.1, parte de los detalles (ID del pedido, n\u00famero de pedido, total de art\u00edculos y valor del token) de todos los pedidos colocados estaban expuestos a usuarios no autorizados. Si es explotado apropiadamente, tambi\u00e9n se pueden obtener algunos datos adicionales como el n\u00famero de art\u00edculos en el carrito y la fecha de env\u00edo. Estos datos no parecen ser cruciales ni son datos personales, sin embargo, podr\u00edan ser usados para ataques sociot\u00e9cnicos o pueden exponer algunos detalles sobre el estado de la tienda a terceros. Los posibles datos que se pueden agregar son el n\u00famero de pedidos procesados o su valor en el momento. El problema ha sido parcheado en Sylius versiones 1.9.5 y 1.10.0-RC.1. Se presentan algunas soluciones para la vulnerabilidad. La primera soluci\u00f3n posible es ocultar los endpoints problem\u00e1ticos detr\u00e1s del firewall de los usuarios no conectados. Esto pondr\u00eda s\u00f3lo la lista de pedidos bajo el firewall y permitir\u00eda que s\u00f3lo los usuarios autorizados accedieran a ella. Una vez que un usuario est\u00e1 autorizado, s\u00f3lo tendr\u00e1 acceso a sus pedidos. La segunda soluci\u00f3n posible es decorar el \"Sylius\\Bundle\\ApiBundle\\Doctrine\\QueryCollectionExtension\\OrdersByLoggedInUserExtension\" y lanzar \"Symfony\\Component\\Security\\Core\\Exception\\AccessDeniedException\" si la clase es ejecutada por un usuario no autorizado"}], "lastModified": "2021-07-02T16:51:31.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFE4E23B-2717-4743-89D6-4229457048E2", "versionEndExcluding": "1.9.5", "versionStartIncluding": "1.9.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}