Lucene search
PRIOn knowledge basePRION:CVE-2024-27917HistoryMar 06, 2024 - 8:15 p.m.
Session fixation
2024-03-0620:15:00
PRIOn knowledge base
www.prio-n.com
11
shopware
session fixation
404 pages
caching
symfony session handler
redis
php redis extension
security patch
0.0004 Low
EPSS
Percentile
15.5%
Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. When Redis is in use for Sessions using the PHP Redis extension, this exploiting code is not used. Shopware version 6.5.8.7 contains a patch for this issue. As a workaround, use Redis for Sessions, as this does not trigger the exploit code.
Related
cve
cve
CVE-2024-27917
2024-03-06 20:15:48
nvd
nvd
CVE-2024-27917
2024-03-06 20:15:48
osv
osv
Shopware's session is persistent in Cache for 404 pages
2024-03-06 15:06:54
CVE-2024-27917
2024-03-06 20:15:48
github
github
Shopware's session is persistent in Cache for 404 pages
2024-03-06 15:06:54
cvelist
cvelist
CVE-2024-27917 Shopware's session is persistent in Cache for 404 pages
2024-03-06 19:36:27
veracode
veracode
Use Of Cache Containing Sensitive Information
2024-03-07 10:13:33