Saleor v2.9.1 Release Notes

Release Date: 2020-01-24 // 5 days ago
  • 🚀 This release fixes a vulnerability issue in Saleor.

    The checkoutCustomerAttach mutation failed to verify whether the customer ID passed matched the currently logged in user. This allowed users to generate checkout sessions and attach them to random existing users. User IDs are integers, so with enough effort, valid ones could be enumerated using brute force.

    As the mutation returns the modified checkout object, the attacker could request its user field to retrieve information about the user the checkout was now assigned to. Information potentially disclosed includes: first and last name, address book contents, order history, and stored payment methods if any (card type, last four digits, expiration date).

    ➕ Additionally, we’ve also provided a solution that makes sure any embedded user object will only be obtainable by a privileged site admin or by the same user if currently logged in. This affects the following fields:

    • Checkout.user
    • CustomerEvent.user
    • GiftCard.user
    • Order.user
    • OrderEvent.user
    • User.storedPaymentSources

    CVE for this issue is pending.

    Affected versions

    🚀 All Saleor releases contain this mutation up to version 2.9.

    🔄 Changelog

Previous changes from v2.9.0