製品・ソフトウェアに関する情報

JVN脆弱性詳細

saleorにおける認可されていない行為者への個人情報の漏えいに関する脆弱性

Title	saleorにおける認可されていない行為者への個人情報の漏えいに関する脆弱性
Summary	Saleorは大規模企業向けのECプラットフォームです。`Pickup: Local stock only`（店頭受取: 店舗在庫のみ）を特定の条件下で配送方法として利用すると、顧客が倉庫の住所を自分の住所で上書きでき、その結果、その住所が店頭受取先として表示される可能性があります。この問題は、バージョン `3.14.61`、`3.15.37`、`3.16.34`、`3.17.32`、`3.18.28`、`3.19.15` で修正されています。
Possible impacts	当該ソフトウェアが扱う情報の一部が外部に漏れる可能性があります。また、当該ソフトウェアが扱う情報の一部が書き換えられる可能性があります。さらに、当該ソフトウェアは停止しません。そして、この脆弱性を悪用した攻撃の影響は、他のソフトウェアには及びません。
Solution	正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 27, 2024, midnight
Registration Date	Jan. 13, 2026, 3 p.m.
Last Update	Jan. 13, 2026, 3 p.m.

CVSS3.0 : 警告
Score	5.4
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected System

saleor

saleor 3.14.56 以上 3.14.61 未満

saleor 3.15.31 以上 3.15.37 未満

saleor 3.16.27 以上 3.16.34 未満

saleor 3.17.25 以上 3.17.32 未満

saleor 3.18.19 以上 3.18.28 未満

saleor 3.19.5 以上 3.19.15 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-29888	https://www.cve.org/CVERecord?id=CVE-2024-29888
National Vulnerability Database (NVD)
2	CVE-2024-29888	https://nvd.nist.gov/vuln/detail/CVE-2024-29888

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-359	https://cwe.mitre.org/data/definitions/359.html

ベンダー情報

No	Name	URL
GitHub Advisory Database
1	Customers addresses leak when using Warehouse as a `Pickup: Local stock only` delivery method Advisory saleor/saleor GitHub	https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45

その他

No	Name	URL
関連文書
1	Fix tax calculation for Click and Collect option. (#15487) saleor/saleor@ef003c7 GitHub	https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640
2	Fix tax calculation for Click and Collect option. (#15488) saleor/saleor@39abb0f GitHub	https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c
3	Fix tax calculation for Click and Collect option. (#15489) saleor/saleor@b7cecda GitHub	https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4
4	Fix tax calculation for Click and Collect option. (#15490) saleor/saleor@dccc2c8 GitHub	https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182
5	Fix tax calculation for Click and Collect option. (#15491) saleor/saleor@d8ba545 GitHub	https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95
6	Fix tax calculation for Click and Collect option. (#15505) saleor/saleor@22a1aa3 GitHub	https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761
7	Fix incorrect assigment of the shipping address by korycins Pull Request #15694 saleor/saleor GitHub	https://github.com/saleor/saleor/pull/15694
8	Fix relation between order and click and collect address (#15697) saleor/saleor@47cedfd GitHub	https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b
9	Fix relation between order and click and collect address by IKarbowiak Pull Request #15697 saleor/saleor GitHub	https://github.com/saleor/saleor/pull/15697
10	Fix `FLAT_RATE` tax calculation for Click and Collect option. (#15426) saleor/saleor@997f7ea GitHub	https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26

Change Log

No	Changed Details	Date of change
1	[2026年01月13日] 掲載	Jan. 13, 2026, 3 p.m.

NVD Vulnerability Information

CVE-2024-29888

Summary	Saleor is an e-commerce platform that serves high-volume companies. When using `Pickup: Local stock only` click-and-collect as a delivery method in specific conditions the customer could overwrite the warehouse address with its own, which exposes its address as click-and-collect address. This issue has been patched in versions: `3.14.61`, `3.15.37`, `3.16.34`, `3.17.32`, `3.18.28`, `3.19.15`.
Publication Date	March 28, 2024, 4:15 a.m.
Registration Date	March 28, 2024, 10 a.m.
Last Update	Nov. 21, 2024, 6:08 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761
2	https://github.com/saleor/saleor/commit/22a1aa3ef0bc54156405f69146788016a7f3f761
3	https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c
4	https://github.com/saleor/saleor/commit/39abb0f4e4fe6503f81bfbb871227e4f70bcdd5c
5	https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b
6	https://github.com/saleor/saleor/commit/47cedfd7d6524d79bdb04708edcdbb235874de6b
7	https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26
8	https://github.com/saleor/saleor/commit/997f7ea4f576543ec88679a86bfe1b14f7f2ff26
9	https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4
10	https://github.com/saleor/saleor/commit/b7cecda8b603f7472790150bb4508c7b655946d4
11	https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95
12	https://github.com/saleor/saleor/commit/d8ba545c16ad3153febc5b5be8fd2ef75da9fc95
13	https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182
14	https://github.com/saleor/saleor/commit/dccc2c842b4e2e09470929c80f07dc137e439182
15	https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640
16	https://github.com/saleor/saleor/commit/ef003c76a304c89ddb2dc65b7f1d5b3b2ba1c640
17	https://github.com/saleor/saleor/pull/15694
18	https://github.com/saleor/saleor/pull/15694
19	https://github.com/saleor/saleor/pull/15697
20	https://github.com/saleor/saleor/pull/15697
21	https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45
22	https://github.com/saleor/saleor/security/advisories/GHSA-mrj3-f2h4-7w45

Common Vulnerabilities List