CVE-2021-37709 — Log File Information Exposure in Shopware

CWE-532 — Log File Information Exposure CWE-639 — Authorization Bypass Through User-Controlled Key3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 55.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedAug 16

Latest updateAug 30

Description

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶Packagistshopware/platform< 6.4.3.1

▶CVEListV5shopware/platform6.4.3.0

▶Packagistshopware/core< 6.4.3.1

▶NVDshopware/shopware< 6.4.3.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Insecure direct object reference of log files of the Import/Export feature↗2021-08-30

▶

GHSA

Insecure direct object reference of log files of the Import/Export feature↗2021-08-30

▶