First published: Thu Jun 13 2019(Updated: )
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
<=5.6.0 | ||
Shopware Shopware | <=5.6.0 | |
composer/shopware/shopware | >=5.3.0<=5.6.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-12799 is a vulnerability in Shopware through version 5.6.x that allows for arbitrary deserialization and remote code execution.
CVE-2019-12799 allows an attacker to trigger a PHP object instantiation vulnerability, leading to arbitrary deserialization and potential remote code execution in Shopware versions 5.6.x and below.
CVE-2019-12799 has a severity rating of 8.8 (high).
To fix CVE-2019-12799 in Shopware, it is recommended to upgrade to a version above 5.6.x, where the vulnerability has been patched.
Yes, you can find additional information about CVE-2019-12799 in the following references: [Link 1](https://nvd.nist.gov/vuln/detail/CVE-2019-12799), [Link 2](https://github.com/rapid7/metasploit-framework/pull/11828), [Link 3](https://github.com/advisories/GHSA-6m27-7cqj-2mxw)