CVE-2024-27917 — Use of Cache Containing Sensitive Information in Shopware

CWE-524 — Use of Cache Containing Sensitive Information3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 69.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shopware Shopware Platform Shopware Storefront

Timeline

PublishedMar 6

Description

Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. When Redis is in use for Sessions using the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶Packagistshopware/platform6.5.8.0 — 6.5.8.7

▶NVDshopware/shopware6.5.8.0 — 6.5.8.7

▶Packagistshopware/storefront6.5.8.0 — 6.5.8.7

▶CVEListV5shopware/shopware>= 6.5.8.0, < 6.5.8.7

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Shopware's session is persistent in Cache for 404 pages↗2024-03-06

▶

OSV

Shopware's session is persistent in Cache for 404 pages↗2024-03-06

▶