Private files publicly accessible with Cloud Storage providers
CVE-2021-32717

7.5HIGH

Key Information:

Vendor

Shopware

Status
Platform
Vendor
CVE Published:
24 June 2021

What is CVE-2021-32717?

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities.

Affected Version(s)

platform < 6.4.1.1

References

https://docs.shopware.com/en/shopware-6-en/security-updat...
x_refsource_MISC
https://github.com/shopware/platform/security/advisories/...
x_refsource_CONFIRM
https://github.com/shopware/platform/commit/ba52f683372b8...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.