CVE-2021-32717

 

Published at: - 24-06-2021 11:15

Last modified: - 25-10-2022 04:39

Total changes: - 5

Description

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command `./bin/console s3:set-visibility` to correct your cloud file visibilities.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

 

Verification logic

 

Reference

• https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021
• https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v
• https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3

 

Keywords

NVD

 

CVE-2021-32717

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures