Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yZjhmLWhxanYtOTg2cM4AAhAR
Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
Permalink: https://github.com/advisories/GHSA-rf8f-hqjv-986pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZjhmLWhxanYtOTg2cM4AAhAR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-rf8f-hqjv-986p, CVE-2019-12799
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-12799
- https://github.com/rapid7/metasploit-framework/pull/11828
- https://github.com/advisories/GHSA-6m27-7cqj-2mxw
- https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe/
- https://github.com/advisories/GHSA-rf8f-hqjv-986p
Blast Radius: 14.5
Affected Packages
packagist:shopware/shopware
Dependent packages: 38Dependent repositories: 45
Downloads: 686,707 total
Affected Version Ranges: >= 5.3.0, <= 5.6.0
No known fixed version
All affected versions: 5.3.0, 5.3.4, 5.3.5, 5.3.6, 5.3.7, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.6.0