Skip to content

2.9.1 Release

Compare
Choose a tag to compare
@maarcingebala maarcingebala released this 24 Jan 15:43

This release fixes CVE-2020-7964 vulnerability issue in Saleor.

The checkoutCustomerAttach mutation failed to verify whether the customer ID passed matched the currently logged in user. This allowed users to generate checkout sessions and attach them to random existing users. User IDs are integers, so with enough effort, valid ones could be enumerated using brute force.

As the mutation returns the modified checkout object, the attacker could request its user field to retrieve information about the user the checkout was now assigned to. Information potentially disclosed includes: first and last name, address book contents, order history, and stored payment methods if any (card type, last four digits, expiration date).

Additionally, we’ve also provided a solution that makes sure any embedded user object will only be obtainable by a privileged site admin or by the same user if currently logged in. This affects the following fields:

  • Checkout.events
  • Checkout.user
  • CustomerEvent.user
  • GiftCard.user
  • Order.events
  • Order.user
  • OrderEvent.user
  • User.storedPaymentSources

Affected versions

All Saleor releases contain this mutation up to version 2.9.

Changelog