Improper Control of Generation of Code in Twig rendered views

2023-04-1813:14:20

Google

osv.dev

twig

code generation

cve-2023-22731

php closures

security update

shopware

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

0.008 Low

EPSS

Percentile

81.9%

JSON

Impact

We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list

Patches

The problem has been fixed with 6.4.20.1 with an improved override.

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023?category=security-updates

CPENameOperatorVersion
shopware/platformeq6.4.1.1
shopware/coreeq6.1.1
shopware/coreeq6.3.1.1
shopware/platformeq6.3.5.3
shopware/coreeq6.4.6.0
shopware/platformeq6.4.11.0
shopware/coreeq6.3.4.1
shopware/coreeq6.1.0-rc4
shopware/coreeq6.1.0-rc1
shopware/platformeq6.1.1

Name	Operator	Version
shopware/platform	eq	6.4.1.1
shopware/core	eq	6.1.1
shopware/core	eq	6.3.1.1
shopware/platform	eq	6.3.5.3
shopware/core	eq	6.4.6.0
shopware/platform	eq	6.4.11.0
shopware/core	eq	6.3.4.1
shopware/core	eq	6.1.0-rc4
shopware/core	eq	6.1.0-rc1
shopware/platform	eq	6.1.1