cbcvebase.
CVE-2023-2017
published 2023-04-17

CVE-2023-2017: Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub…

PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
2.08%
79.2th percentile
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

Affected

8 ranges
VendorProductVersion rangeFixed in
shopwarecore>= 0 < 6.4.20.16.4.20.1
shopwarecore>= 6.7.0.0 < 6.7.6.16.7.6.1
shopwareplatform>= 0 < 6.4.20.16.4.20.1
shopwareshopware
shopwareshopware
shopwareshopware6.1.0 – 6.4.20.0
shopwareshopware>= 6.7.0.0 < 6.7.6.16.7.6.1
shopwareshopware>= 6.7.0.0 < 6.7.6.16.7.6.1

Detection & IOCsextracted from sources · hover to see the quote

  • Detect SSTI exploitation attempts targeting Shopware 6 Twig environment by monitoring for usage of fully-qualified class/function names supplied as arrays of strings in template input, which is the specific bypass technique used to circumvent SecurityExtension validation.
  • Monitor for bypass attempts against `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` — specifically inputs that pass validation checks but invoke arbitrary PHP callables through Twig templates outside the Sandbox extension.
  • This CVE is a bypass of CVE-2023-22731; detection rules for CVE-2023-22731 may be insufficient — ensure coverage also accounts for array-of-strings callable references in Twig templates.
  • ·Vulnerability affects both shopware/core and shopware/platform GitHub repositories across Shopware 6 versions <= v6.4.20.0 and v6.5.0.0-rc1 through v6.5.0.0-rc4; patched in v6.4.20.1.
  • ·Exploitation requires the attacker to already have access to a Twig environment without the Sandbox extension enabled — not exploitable in default sandboxed configurations.
  • ·A regression of this CVE was later introduced in Shopware 6.7.0.0–6.7.6.0 (tracked as CVE-2026-23498), where array and PHP Closure inputs to the map() override were not checked against the allow list.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.