CVE-2021-32717
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| shopware | platform | < 6.4.1.1 | affected |
Weaknesses
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CVE Program Container
Additional References
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021
- https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v
- https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3
References
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021
- https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v
- https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.