Spree API Security Vulnerability

On Friday we came across a serious security vulnerability in the Spree/Solidus API. The effect of this vulnerability is that an attacker is able to access any file on the system. A valid API key is not required to exploit this.

All users should patch their servers immediately. We've provided the following monkey patch to remove the vulnerability. This should be put in a initializer, for example: config/initializers/spree_api_template_security.rb.

module Spree::Api::Responders::RablTemplate
  def template
    options[:default_template]
  end
end

We also have provided the fix as a patch.

This affects all versions of spree (1.3 and up) and solidus 1.0.0.pre. This has been fixed on the solidus master and in 1.0.0.pre2.

It is likely that this remote file access can be leveraged to execute arbitrary code, and should be treated as such. Servers and databases should be assumed to have been compromised. We recommend everyone replace all security credentials including database passwords, ssh keys, payment gateway credentials, API tokens, and passwords.