logo

Database

Business information leak In shopware/core

Description

Private files publicly accessible with Cloud Storage providers

Impact

Private files publicly accessible with Cloud Storage providers when the hashed URL is known

Patches

We recommend first changing your configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type.

When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html

Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-vrf2-xghr-j52v2. GCVE-GHSA-vrf2-xghr-j52v

References

1. https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52v

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.