Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xbXA5LTJ4d2otbTZtOc4AA4ie
Blind SQL injection in shopware
Impact
The Shopware application API contains a search functionality which enables users to search through information stored within their Shopware instance. The searches performed by this function can be aggregated using the parameters in the “aggregations”
object. The ‘name’ field in this “aggregations” object is vulnerable SQL-injection and can be exploited using time-based SQL-queries.
Patches
Update to Shopware 6.5.7.4
Workarounds
For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Permalink: https://github.com/advisories/GHSA-qmp9-2xwj-m6m9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xbXA5LTJ4d2otbTZtOc4AA4ie
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 months ago
Updated: 4 months ago
CVSS Score: 9.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Identifiers: GHSA-qmp9-2xwj-m6m9, CVE-2024-22406
References:
- https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9
- https://nvd.nist.gov/vuln/detail/CVE-2024-22406
- https://github.com/shopware/core/commit/e2256ec81e56f792623e90d89786d8a9fcad28bf
- https://github.com/shopware/shopware/commit/5005213e609f5a4423fcfa92f105c3de8ab35100
- https://github.com/shopware/shopware/releases/tag/v6.5.7.4
- https://github.com/advisories/GHSA-qmp9-2xwj-m6m9
Blast Radius: 23.0
Affected Packages
packagist:shopware/platform
Dependent packages: 6Dependent repositories: 38
Downloads: 1,115,773 total
Affected Version Ranges: <= 6.5.7.3
Fixed in: 6.5.7.4
All affected versions:
All unaffected versions: 5.3.1, 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3
packagist:shopware/core
Dependent packages: 163Dependent repositories: 298
Downloads: 2,443,170 total
Affected Version Ranges: <= 6.5.7.3
Fixed in: 6.5.7.4
All affected versions:
All unaffected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.1, 6.2.2, 6.2.3