logo

Database

Insecure deserialization In shopware/shopware

Description

Shopware Insecure Deserialization Vulnerability In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2019-127992. NVD-2019-127993. OSV-2019-127994. GHSA-6m27-7cqj-2mxw5. GCVE-2019-12799

References

1. https://github.com/rapid7/metasploit-framework/pull/118282. https://web.archive.org/web/20171112153855/https://blog.ripstech.com/2017/shopware-php-object-instantiation-to-blind-xxe3. https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.