CVE-2024-40633
Sylius has a security vulnerability via adjustments API endpoint
Description
### Impact A security vulnerability was discovered in the `/api/v2/shop/adjustments/{id}` endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can access guest customer order details - sensitive guest customer information. ### Patches The issue is fixed in versions: 1.9.12, 1.10.16, 1.11.17, 1.12.19, 1.13.4 and above. The `/api/v2/shop/adjustments/{id}` will always return `404` status. ### Workarounds Using YAML configuration: Create `config/api_platform/Adjustment.yaml` file: ```yaml # config/api_platform/Adjustment.yaml '%sylius.model.adjustment.class%': itemOperations: shop_get: controller: ApiPlatform\Core\Action\NotFoundAction read: false output: false ``` Or using XML configuration: > Note: This is the only way of disabling the vulnerable endpoint for Sylius 1.9, as YAML configuration is not supported in that version. Copy the original configuration from vendor: ```bash # create directory if it doesn't exist mkdir -p config/api_platform cp vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources/Adjustment.xml config/api_platform ``` And change the `shop_get` operation in copied `config/api_platform/Adjustment.xml` file: ```xml <!-- config/api_platform/Adjustment.xml --> ... <itemOperation name="shop_get"> <attribute name="method">GET</attribute> <attribute name="path">/shop/adjustments/{id}</attribute> <attribute name="controller">ApiPlatform\Core\Action\NotFoundAction</attribute> <attribute name="read">false</attribute> <attribute name="output">false</attribute> </itemOperation> ... ``` Update your API platform paths config if needed so the new configuration file is loaded: ```yaml # config/packages/api_platform.yaml api_platform: mapping: paths: - '%kernel.project_dir%/vendor/sylius/sylius/src/Sylius/Bundle/ApiBundle/Resources/config/api_resources' ... - '%kernel.project_dir%/config/api_platform' ``` ### For more information If you have any questions or comments about this advisory: - Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues) - Email us at [security@sylius.com](mailto:security@sylius.com)
How to fix CVE-2024-40633
To remediate CVE-2024-40633, upgrade the affected package to a fixed version below.
- —upgrade to 1.12.19 or later