Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZyZjIteGdoci1qNTJ2

Private files publicly accessible with Cloud Storage providers

Impact

Private files publicly accessible with Cloud Storage providers when the hashed URL is known

Patches

We recommend first changing your configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type.

When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities

Permalink: https://github.com/advisories/GHSA-vrf2-xghr-j52v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZyZjIteGdoci1qNTJ2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-vrf2-xghr-j52v
References:

• https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v
• https://github.com/advisories/GHSA-vrf2-xghr-j52v

Repository: https://github.com/shopware/platform
Blast Radius: 18.6

Affected Packages