Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wNnc5LXI0NDMtcjc1Ms4AA-gA

Shopware vulnerable to blind SQL-injection in DAL aggregations

Impact

The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.

Patches

Update to Shopware 6.6.5.1 or 6.5.8.13

Workarounds

For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

Credit

LogicalTrust

Permalink: https://github.com/advisories/GHSA-p6w9-r443-r752
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNnc5LXI0NDMtcjc1Ms4AA-gA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago


CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-p6w9-r443-r752, CVE-2024-42357
References: Repository: https://github.com/shopware/shopware
Blast Radius: 18.1

Affected Packages

packagist:shopware/core
Dependent packages: 216
Dependent repositories: 298
Downloads: 2,947,360 total
Affected Version Ranges: >= 6.6.0.0, <= 6.6.5.0, <= 6.5.8.12
Fixed in: 6.6.5.1, 6.5.8.13
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions:
packagist:shopware/platform
Dependent packages: 6
Dependent repositories: 38
Downloads: 1,210,388 total
Affected Version Ranges: >= 6.6.0.0, <= 6.6.5.0, <= 6.5.8.12
Fixed in: 6.6.5.1, 6.5.8.13
All affected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions: