Spree Commerce

Try It Now

Security Fix for all Spree Versions

Posted on July 20, 2015 by Jeff Dutil

We have just issued several new versions of Spree that address a critical security vulnerability. A vulnerability in the API was discovered which could allow an attacker read access to any file on the server.

We strongly advise everyone to upgrade to the latest version of Spree available for their stores immediately. For example, if you’re running v2.4.7, please upgrade to v2.4.8 immediately.

If you are unable or unwilling to upgrade you can monkey patch your Spree application with an initializer config/initializers/security_20150720.rb as a quick workaround:

module Spree::Api::Responders::RablTemplate
  def template
    options[:default_template]
  end
end

If using an unsupported version, such as, 1.3.x, 2.0.x or 2.1.x you should use the above initializer as a workaround.

Credit

Thanks to John Hawthorn from Free Running Tech for reporting the issue privately after his recent security audit via the security@spreecommerce.com email. This allowed us to verify the problem and prepare the necessary security patches for public release.

Full Changes

To see a complete list of changes please view the compare pages: