From 9aef0b6a198ec25f3db2675ce38f37726f3042a2 Mon Sep 17 00:00:00 2001 From: Oussama RAHALI Date: Tue, 29 Aug 2023 11:05:06 +0100 Subject: [PATCH 1/4] Add patched version for CVE-2013-1656 --- gems/spree/CVE-2013-1656.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gems/spree/CVE-2013-1656.yml b/gems/spree/CVE-2013-1656.yml index 446ebdea91..bdf08e8572 100644 --- a/gems/spree/CVE-2013-1656.yml +++ b/gems/spree/CVE-2013-1656.yml @@ -6,7 +6,7 @@ url: https://blog.convisoappsec.com/en/spree-commerce-multiple-unsafe-reflection title: Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution date: 2013-02-21 description: | - Spree Commerce 1.0.x through 1.3.2 allows remote authenticated + Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated administrators to instantiate arbitrary Ruby objects and executd arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/ @@ -18,7 +18,7 @@ description: | of the constantize function. cvss_v2: 4.3 patched_versions: - - ">= 2.0.0" + - ">= 2.0.0.rc1" related: url: - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed From fc8ae7e27d443e55cc6c1c0fb03fa54aca40d9bc Mon Sep 17 00:00:00 2001 From: Oussama RAHALI Date: Tue, 29 Aug 2023 16:16:42 +0100 Subject: [PATCH 2/4] Update related urls for CVE-2013-1656 --- gems/spree/CVE-2013-1656.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/gems/spree/CVE-2013-1656.yml b/gems/spree/CVE-2013-1656.yml index bdf08e8572..8ed2befd4e 100644 --- a/gems/spree/CVE-2013-1656.yml +++ b/gems/spree/CVE-2013-1656.yml @@ -22,3 +22,4 @@ patched_versions: related: url: - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed + - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 \ No newline at end of file From ba2e7e7996cdf5f3aa9f1ab552e240eaf9e69a77 Mon Sep 17 00:00:00 2001 From: Oussama RAHALI Date: Tue, 29 Aug 2023 18:25:07 +0100 Subject: [PATCH 3/4] Update related urls for CVE-2013-1656 --- gems/spree/CVE-2013-1656.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gems/spree/CVE-2013-1656.yml b/gems/spree/CVE-2013-1656.yml index 8ed2befd4e..a49215f9ea 100644 --- a/gems/spree/CVE-2013-1656.yml +++ b/gems/spree/CVE-2013-1656.yml @@ -21,5 +21,5 @@ patched_versions: - ">= 2.0.0.rc1" related: url: - - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed - - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 \ No newline at end of file + - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 + - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed \ No newline at end of file From 8853492398cc636f53aff1f704eea4e7c96f2a88 Mon Sep 17 00:00:00 2001 From: Oussama RAHALI Date: Tue, 29 Aug 2023 18:25:29 +0100 Subject: [PATCH 4/4] Update related urls for CVE-2013-1656 --- gems/spree/CVE-2013-1656.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gems/spree/CVE-2013-1656.yml b/gems/spree/CVE-2013-1656.yml index a49215f9ea..8ed2befd4e 100644 --- a/gems/spree/CVE-2013-1656.yml +++ b/gems/spree/CVE-2013-1656.yml @@ -21,5 +21,5 @@ patched_versions: - ">= 2.0.0.rc1" related: url: - - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 - - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed \ No newline at end of file + - https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed + - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 \ No newline at end of file