Lucene search

[email protected]CVE-2023-2017

HistoryApr 17, 2023 - 11:15 a.m.

CVE-2023-2017

2023-04-1711:15:42

CWE-94

CWE-1336

CWE-184

[email protected]

web.nvd.nist.gov

283

cve

ssti

shopware 6

security

remote code execution

twig

github

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.9%

JSON

Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

Affected configurations

NVD

Node

shopwareshopwareRange6.1.0–6.4.20.0

shopwareshopwareMatch6.5.0.0rc1

shopwareshopwareMatch6.5.0.0rc2

shopwareshopwareMatch6.5.0.0rc3

CPENameOperatorVersion
shopware:shopwareshopwarele6.4.20.0
shopware:shopwareshopwareeq6.5.0.0

CPE	Name	Operator	Version
shopware:shopware	shopware	le	6.4.20.0
shopware:shopware	shopware	eq	6.5.0.0

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Shopware 6",
    "vendor": "Shopware AG",
    "versions": [
      {
        "lessThanOrEqual": "6.4.20.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "6.5.0.0-rc4",
        "status": "affected",
        "version": "6.5.0.0-rc1",
        "versionType": "semver"
      }
    ]
  }
]