Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNnc5LXI0NDMtcjc1Ms4AA-gA
Shopware vulnerable to blind SQL-injection in DAL aggregations
Impact
The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.
Patches
Update to Shopware 6.6.5.1 or 6.5.8.13
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Credit Permalink: https://github.com/advisories/GHSA-p6w9-r443-r752
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNnc5LXI0NDMtcjc1Ms4AA-gA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 month ago
Updated: about 1 month ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Identifiers: GHSA-p6w9-r443-r752, CVE-2024-42357
References:
- https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752
- https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9
- https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f
- https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b
- https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac
- https://nvd.nist.gov/vuln/detail/CVE-2024-42357
- https://github.com/advisories/GHSA-p6w9-r443-r752
Blast Radius: 18.1
Affected Packages
packagist:shopware/core
Dependent packages: 216Dependent repositories: 298
Downloads: 2,947,360 total
Affected Version Ranges: >= 6.6.0.0, <= 6.6.5.0, <= 6.5.8.12
Fixed in: 6.6.5.1, 6.5.8.13
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions:
packagist:shopware/platform
Dependent packages: 6Dependent repositories: 38
Downloads: 1,210,388 total
Affected Version Ranges: >= 6.6.0.0, <= 6.6.5.0, <= 6.5.8.12
Fixed in: 6.6.5.1, 6.5.8.13
All affected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions: