Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZncjgtYzNtNS1tdnJn

Exposure of Sensitive Information to an Unauthorized Actor

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities.

Permalink: https://github.com/advisories/GHSA-6gr8-c3m5-mvrg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZncjgtYzNtNS1tdnJn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-6gr8-c3m5-mvrg, CVE-2021-32717
References:

• https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v
• https://nvd.nist.gov/vuln/detail/CVE-2021-32717
• https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3
• https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021
• https://github.com/advisories/GHSA-6gr8-c3m5-mvrg

Repository: https://github.com/shopware/platform
Blast Radius: 11.8

Affected Packages