CVE-2023-2017

2023-04-1711:15:42

Google

osv.dev

cve-2023-2017

server-side template injection

shopware 6

twig environment

github repositories

remote attackers

twig sandbox extension

validation checks

securityextension

arbitrary php function

arbitrary code

arbitrary commands

upgrade

bypass

cve-2023-22731

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.9%

JSON

Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in Shopware\Core\Framework\Adapter\Twig\SecurityExtension and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

CPENameOperatorVersion
shopwareeq6.4.1.2
shopwareeq6.4.11.1
shopwareeq6.2.2
shopwareeq6.4.15.1
shopwareeq6.4.4.0
shopwareeq6.3.5.0
shopwareeq6.4.8.0
shopwareeq6.4.1.1
shopwareeq6.2.0
shopwareeq6.4.10.0

Name	Operator	Version
shopware	eq	6.4.1.2
shopware	eq	6.4.11.1
shopware	eq	6.2.2
shopware	eq	6.4.15.1
shopware	eq	6.4.4.0
shopware	eq	6.3.5.0
shopware	eq	6.4.8.0
shopware	eq	6.4.1.1
shopware	eq	6.2.0
shopware	eq	6.4.10.0