Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03djJ2LTlybTQtN204Zs4AAy1O

Improper Control of Generation of Code in Twig rendered views

Impact

We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list

Patches

The problem has been fixed with 6.4.20.1 with an improved override.

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023?category=security-updates

Permalink: https://github.com/advisories/GHSA-7v2v-9rm4-7m8f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03djJ2LTlybTQtN204Zs4AAy1O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-7v2v-9rm4-7m8f, CVE-2023-2017
References:

Repository: https://github.com/shopware/platform
Blast Radius: 21.8

Affected Packages

packagist:shopware/core

Dependent packages: 216
Dependent repositories: 298
Downloads: 3,219,185 total
Affected Version Ranges: <= 6.4.20.0
Fixed in: 6.4.20.1
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.4.2-0.0
All unaffected versions:

packagist:shopware/platform

Dependent packages: 6
Dependent repositories: 38
Downloads: 1,264,935 total
Affected Version Ranges: <= 6.4.20.0
Fixed in: 6.4.20.1
All affected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.4.2-0.0
All unaffected versions: