Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2008-7310
Vulnerability from gsd - Updated: 2008-09-22 00:00Details
Spree contains a hash restriction weakness that occurs when parsing a
modified URL. This may allow an attacker to manipulate order state values.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2008-7310",
"description": "Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model\u0027s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a \"mass assignment\" vulnerability.",
"id": "GSD-2008-7310"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree",
"purl": "pkg:gem/spree"
}
}
],
"aliases": [
"CVE-2008-7310",
"OSVDB-81505"
],
"details": "Spree contains a hash restriction weakness that occurs when parsing a\nmodified URL. This may allow an attacker to manipulate order state values.\n",
"id": "GSD-2008-7310",
"modified": "2008-09-22T00:00:00.000Z",
"published": "2008-09-22T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://spreecommerce.com/blog/security-vulnerability-mass-assignment"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation\n"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7310",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model\u0027s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a \"mass assignment\" vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/"
},
{
"name": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment",
"refsource": "MISC",
"url": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2008-7310",
"cvss_v2": 5.0,
"date": "2008-09-22",
"description": "Spree contains a hash restriction weakness that occurs when parsing a\nmodified URL. This may allow an attacker to manipulate order state values.\n",
"gem": "spree",
"osvdb": 81505,
"patched_versions": [
"\u003e= 0.3.0"
],
"title": "Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation\n",
"url": "https://spreecommerce.com/blog/security-vulnerability-mass-assignment"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "=0.2.0",
"affected_versions": "Version 0.2.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2012-04-05",
"description": "Spree does not properly restrict the use of a hash to provide values for a model\u0027s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a \"mass assignment\" vulnerability.",
"fixed_versions": [
"0.4.0"
],
"identifier": "CVE-2008-7310",
"identifiers": [
"CVE-2008-7310"
],
"not_impacted": "All versions before 0.2.0, all versions after 0.2.0",
"package_slug": "gem/spree",
"pubdate": "2012-04-05",
"solution": "Upgrade to version 0.4.0 or above.",
"title": "Credentials Management Errors",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2008-7310",
"http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/",
"http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment"
],
"uuid": "4e036fa8-8719-4b20-8562-e5ca6cee6e0b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:0.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7310"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Spree 0.2.0 does not properly restrict the use of a hash to provide values for a model\u0027s attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a \"mass assignment\" vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://spreecommerce.com/blog/2008/09/16/security-vulnerability-mass-assignment-of-order-params/"
},
{
"name": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment",
"refsource": "MISC",
"tags": [],
"url": "http://railspikes.com/2008/9/22/is-your-rails-application-safe-from-mass-assignment"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2012-04-05T13:25Z",
"publishedDate": "2012-04-05T13:25Z"
}
}
}