CVE-2020-13997 — Information Exposure via Error Message in Shopware

CWE-209 — Information Exposure via Error Message3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 25.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedJul 28

Latest updateMay 24

Description

In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Packagistshopware/core6.0.0 — 6.2.3

▶NVDshopware/shopware< 6.2.3

▶Packagistshopware/platform6.0.0 — 6.2.3

🔴Vulnerability Details

OSV

Shopware database password is leaked to an unauthenticated users↗2022-05-24

▶

GHSA

Shopware database password is leaked to an unauthenticated users↗2022-05-24

▶