First published: Mon Apr 17 2023(Updated: )
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.
Credit: info@starlabs.sg
Affected Software | Affected Version | How to fix |
---|---|---|
Shopware Shopware | >=6.1.0<=6.4.20.0 | |
Shopware Shopware | =6.5.0.0-rc1 | |
Shopware Shopware | =6.5.0.0-rc2 | |
Shopware Shopware | =6.5.0.0-rc3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-2017 is high with a CVSS score of 8.8.
Shopware versions <= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4 are affected by CVE-2023-2017.
Remote attackers with access to a Twig environment without the Sandbox extension can exploit CVE-2023-2017 to bypass validation checks in Shopware.
Yes, there is a security update available for CVE-2023-2017. More information can be found in the official documentation and advisories.
The Common Weakness Enumeration (CWE) IDs associated with CVE-2023-2017 are 94, 1336, and 184.