CVE-2021-37711 — Server-Side Request Forgery in Shopware

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 33.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Core Shopware Platform

Timeline

PublishedAug 16

Latest updateAug 23

Description

Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Packagistshopware/core< 6.4.3.1

▶NVDshopware/shopware6.1.0 — 6.4.3.1

▶Packagistshopware/platform< 6.4.3.1

▶CVEListV5shopware/platform6.4.3.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Authenticated server-side request forgery in file upload via URL.↗2021-08-23

▶

OSV

Authenticated server-side request forgery in file upload via URL.↗2021-08-23

▶