CVE-2019-12799
published 2019-06-13CVE-2019-12799: In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in…
PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
54.68%
98.9th percentile
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| shopware | shopware | <= 5.6.0 | — |
| shopware | shopware | 5.3.0 – 5.6.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for crafted web requests targeting the createInstanceFromNamedArguments function in Shopware, which may indicate an attempt to trigger PHP object instantiation/deserialization for RCE. ↗
- →This CVE is a bypass of the CVE-2017-18357 whitelist patch; detection logic should account for whitelist bypass techniques in Shopware's object instantiation code path. ↗
- ·Exploitation requires an authenticated backend user account; unauthenticated exploitation is not indicated by available sources. ↗
- ·Affected versions span multiple Shopware branches (5.3–5.6); patching the CVE-2017-18357 whitelist alone is insufficient as this CVE is a direct bypass of that fix. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa6.5MEDIUM
osv6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Shopware Insecure Deserialization Vulnerability
osv·2022-05-24·CVSS 6.5
CVE-2019-12799 [MEDIUM] Shopware Insecure Deserialization Vulnerability
Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
GHSA
Shopware Insecure Deserialization Vulnerability
ghsa·2022-05-24·CVSS 6.5
CVE-2019-12799 [MEDIUM] CWE-502 Shopware Insecure Deserialization Vulnerability
Shopware Insecure Deserialization Vulnerability
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
No detection rules found.
No writeups or analysis indexed.
CWE
Permissive List of Allowed Inputs
mitre_cwe·CVSS 6.5
[MEDIUM] CWE-183 Permissive List of Allowed Inputs
CWE-183: Permissive List of Allowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism.
Detection Methods:
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control
CWE
Deserialization of Untrusted Data
mitre_cwe
CWE-502 Deserialization of Untrusted Data
CWE-502: Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Background: Serialization and deserialization refer to the process of taking program-internal object-related data, packaging it in a way that allows the data to be externally stored or transferred ("serialization"), then extracting the serialized data to reconstruct the original object ("deserialization").
Modes of Introduction:
Phase: Architecture and Design
Note: OMISSION: This weakness is caused by missing a security tactic during the architecture and design phase.
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Modify Application Data, Unexpected State. Attackers can modify unexpected objects or data that was as
2019-06-13
Published