Updated advisory posts against rubysec/ruby-advisory-db@f118d91

Author: jasnow

advisories/_posts/2026-02-05-GHSA-87fh-rc96-6fr6.md

@@ -0,0 +1,104 @@
+---
+layout: advisory
+title: 'GHSA-87fh-rc96-6fr6 (spree_api): Unauthenticated Spree Commerce users can
+  access all guest addresses'
+comments: false
+categories:
+- spree_api
+advisory:
+  gem: spree_api
+  ghsa: 87fh-rc96-6fr6
+  url: https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
+  title: Unauthenticated Spree Commerce users can access all guest addresses
+  date: 2026-02-05
+  description: |
+    ### Summary
+
+    A critical IDOR vulnerability exists in Spree Commerce's guest
+    checkout flow that allows any guest user to bind arbitrary guest
+    addresses to their order by manipulating address ID parameters.
+    This enables unauthorized access to other guests' personally
+    identifiable information (PII) including names, addresses and
+    phone numbers. The vulnerability bypasses existing ownership
+    validation checks and affects all guest checkout transactions.
+
+    ### Impact
+
+    This issue may lead to disclosure of PII of guest users (including
+    names, addresses and phone numbers).
+
+    ### Unauthenticated users can access all guest addresses (`GHSL-2026-027`)
+
+    The vulnerability stems from incomplete authorization validation
+    in Spree's checkout address assignment logic. While nested address
+    attributes (`bill_address_attributes[id]` and
+    `ship_address_attributes[id]`) are properly validated through
+    `validate_address_ownership`, plain ID parameters (`bill_address_id`
+    and `ship_address_id`) bypass this check entirely. Since Spree's
+    address IDs are sequential numbers, an attacker might get all
+    guest addresses by simply enumerating over them.
+
+    ### Affected Code Components
+
+    1. **Permitted Attributes** ([`core/lib/spree/permitted_attributes.rb:92–96`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96))
+       - Allows `bill_address_id` and `ship_address_id` as permitted
+         parameters without validation
+
+    2. **Checkout Update** ([`core/app/models/spree/order/checkout.rb:241–254`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254))
+       - Applies permitted parameters directly to the Order model
+         via `update_from_params`
+
+    3. **Incomplete Ownership Validation** ([`core/app/services/spree/checkout/update.rb:33–48`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48))
+       - `validate_address_ownership` only validates nested attributes structure
+       - Does NOT validate plain `bill_address_id`/`ship_address_id` fields
+
+    4. **Vulnerable Assignment Logic** ([`core/app/models/spree/order/address_book.rb:16–23, 31–38`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38))
+       * [`bill_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L24)
+       * [`ship_address_id=` setter](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L31-L39)
+
+    Both setters check that: `address.user_id == order.user_id`. For
+    guest orders: nil == nil → TRUE ✓ (bypass!)
+
+    #### Impact
+
+    This issue may lead to disclosure of PII of guest users (including
+    names, addresses and phone numbers).
+
+    #### CWEs
+
+    - CWE-639: Authorization Bypass Through User-Controlled Key
+    - CWE-284: Improper Access Control
+
+    ### Credit
+
+    This issue was discovered with the [GitHub Security Lab Taskflow
+    Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+    and manually verified by GHSL team members
+    [@p- (Peter Stöckli)](https://github.com/p-) and
+    [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
+
+    ### Disclosure Policy
+
+    This report is subject to a 90-day disclosure deadline, as
+    described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+  patched_versions:
+  - "~> 4.10.3"
+  - "~> 5.0.8"
+  - "~> 5.1.10"
+  - "~> 5.2.7"
+  - ">= 5.3.2"
+  related:
+    url:
+    - https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6
+    - https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734
+    - https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f
+    - https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8
+    - https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748
+    - https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96
+    - https://github.com/advisories/GHSA-87fh-rc96-6fr6
+  notes: "- CVE-2026-25758 in GHSA Advisory.\n"
+---

advisories/_posts/2026-02-05-GHSA-p6pv-q7rc-g4h9.md

@@ -0,0 +1,85 @@
+---
+layout: advisory
+title: 'GHSA-p6pv-q7rc-g4h9 (spree_storefront): Unauthenticated Spree Commerce users
+  can view completed guest orders by Order ID'
+comments: false
+categories:
+- spree_storefront
+advisory:
+  gem: spree_storefront
+  ghsa: p6pv-q7rc-g4h9
+  url: https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
+  title: Unauthenticated Spree Commerce users can view completed guest orders by Order
+    ID
+  date: 2026-02-05
+  description: |
+    ### Unauthenticated users can view completed guest orders by Order ID (`GHSL-2026-029`)
+
+    The `OrdersController#show` action permits viewing completed
+    guest orders by order number alone, without requiring the
+    associated order token.
+
+    Order lookup without enforcing token requirement in [`OrdersController#show`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14):
+
+    ```ruby
+    @order = complete_order_finder.new(number: params[:id],
+      token: params[:token], store: current_store).execute.first
+    ```
+
+    Authorization bypass for guest orders in [`authorize_access`](https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8):
+    ```ruby
+    def authorize_access
+      return true if @order.user_id.nil?
+
+      @order.user == try_spree_current_user
+    end
+    ```
+
+    If the attacker is in possession of a leaked Order ID, they might
+    look it up directly via this API.
+    Alternatively, brute forcing all or parts of the possible
+    Order IDs might be feasible for an attacker. (The Order IDs
+    themselves are [securely generated](https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45),
+    but with relatively low entropy: by default an order ID has a
+    length of 9 and a base of 10, that would require an attacker to
+    perform 1 billion requests to gather all guest orders. (At an
+    assumed constant rate of 100 requests per second it would take 115 days.)
+
+    #### Impact
+
+    This issue may lead to disclosure of PII of guest users
+    (including names, addresses and phone numbers).
+
+    #### CWEs
+
+    - CWE-639: Authorization Bypass Through User-Controlled Key
+
+    ### Credit
+
+    This issue was discovered with the [GitHub Security Lab Taskflow Agent](https://github.com/GitHubSecurityLab/seclab-taskflow-agent)
+    and manually verified by GHSL team members
+    [@p- (Peter Stöckli)](https://github.com/p-) and
+    [@m-y-mo (Man Yue Mo)](https://github.com/m-y-mo).
+
+    ### Disclosure Policy
+
+    This report is subject to a 90-day disclosure deadline, as
+    described in more detail in our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy).
+  patched_versions:
+  - "~> 5.0.8"
+  - "~> 5.1.10"
+  - "~> 5.2.7"
+  - ">= 5.3.2"
+  related:
+    url:
+    - https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9
+    - https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab
+    - https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be
+    - https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d
+    - https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14
+    - https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8
+    - https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45
+    - https://github.com/advisories/GHSA-p6pv-q7rc-g4h9
+  notes: "- CVE-2026-25757 in GHSA advisory.\n"
+---