CVE-2024-42354

Shopware is an open commerce platform. The store-API works with regular entities and not expose all fields for the public API; fields need to be marked as ApiAware in the EntityDefinition. So only ApiAware fields of the EntityDefinition will be encoded to the final JSON. Prior to versions 6.6.5.1 and 6.5.8.13, the processing of the Criteria did not considered ManyToMany associations and so they were not considered properly and the protections didn't get used. This issue cannot be reproduced with the default entities by Shopware, but can be triggered with extensions. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.2, 6.3, and 6.4, corresponding security measures are also available via a plugin.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

History

12 Aug 2024, 15:49

Type Values Removed Values Added
CWE NVD-CWE-Other
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 5.9
CPE cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*
First Time Shopware shopware
Shopware
References () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - () https://github.com/shopware/core/commit/a784aa1cec0624e36e0ee4d41aeebaed40e0442f - Patch
References () https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2 - () https://github.com/shopware/core/commit/d35ee2eda5c995faeb08b3dad127eab65c64e2a2 - Patch
References () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - () https://github.com/shopware/shopware/commit/8504ba7e56e53add6a1d5b9d45015e3d899cd0ac - Patch
References () https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01 - () https://github.com/shopware/shopware/commit/ad83d38809df457efef21c37ce0996430334bf01 - Patch
References () https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g - () https://github.com/shopware/shopware/security/advisories/GHSA-hhcq-ph6w-494g - Vendor Advisory
Summary
  • (es) Shopware es una plataforma de comercio abierta. La API de la tienda funciona con entidades normales y no expone todos los campos para la API pública; Los campos deben marcarse como ApiAware en EntityDefinition. Por lo tanto, solo los campos ApiAware de EntityDefinition se codificarán en el JSON final. Antes de las versiones 6.6.5.1 y 6.5.8.13, el procesamiento de los Criterios no consideraba las asociaciones ManyToMany por lo que no se consideraban adecuadamente y no se utilizaban las protecciones. Shopware no puede reproducir este problema con las entidades predeterminadas, pero puede activarse con extensiones. Actualice a Shopware 6.6.5.1 o 6.5.8.13 para recibir un parche. Para las versiones anteriores 6.2, 6.3 y 6.4 también están disponibles las medidas de seguridad correspondientes a través de un complemento.

08 Aug 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-08 15:15

Updated : 2024-08-12 15:49


NVD link : CVE-2024-42354

Mitre link : CVE-2024-42354

CVE.ORG link : CVE-2024-42354


JSON object : View

Products Affected

shopware

  • shopware
CWE
NVD-CWE-Other CWE-284

Improper Access Control