Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wNnc5LXI0NDMtcjc1Ms4AA-gA
Shopware vulnerable to blind SQL-injection in DAL aggregations
Impact
The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using SQL parameters.
Patches
Update to Shopware 6.6.5.1 or 6.5.8.13
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Credit Permalink: https://github.com/advisories/GHSA-p6w9-r443-r752
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNnc5LXI0NDMtcjc1Ms4AA-gA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: about 2 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Percentage: 0.00068
EPSS Percentile: 0.31502
Identifiers: GHSA-p6w9-r443-r752, CVE-2024-42357
References:
- https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752
- https://github.com/shopware/core/commit/63c05615694790f5790a04ef889f42b764fa53c9
- https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f
- https://github.com/shopware/shopware/commit/57ea2f3c59483cf7c0f853e7a0d68c23ded1fe5b
- https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac
- https://nvd.nist.gov/vuln/detail/CVE-2024-42357
- https://github.com/advisories/GHSA-p6w9-r443-r752
Blast Radius: 18.1
Affected Packages
packagist:shopware/core
Dependent packages: 216Dependent repositories: 298
Downloads: 3,430,306 total
Affected Version Ranges: >= 6.6.0.0, <= 6.6.5.0, <= 6.5.8.12
Fixed in: 6.6.5.1, 6.5.8.13
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions:
packagist:shopware/platform
Dependent packages: 6Dependent repositories: 38
Downloads: 1,317,266 total
Affected Version Ranges: >= 6.6.0.0, <= 6.6.5.0, <= 6.5.8.12
Fixed in: 6.6.5.1, 6.5.8.13
All affected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
All unaffected versions: