CVE-2023-2017 Improper Control of Generation of Code in Twig Rendered Views in Shopware

2023-04-1710:18:27

CWE-184

CWE-1336

STAR_Labs

www.cve.org

shopware

remote code execution

twig rendered views

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

81.9%

JSON

Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Shopware 6",
    "vendor": "Shopware AG",
    "versions": [
      {
        "lessThanOrEqual": "6.4.20.0",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "6.5.0.0-rc4",
        "status": "affected",
        "version": "6.5.0.0-rc1",
        "versionType": "semver"
      }
    ]
  }
]