CVE-2024-27917 in Shopwareinfo

Summary

by MITRE • 03/06/2024

Shopware is an open commerce platform based on Symfony Framework and Vue. The Symfony Session Handler pops the Session Cookie and assigns it to the Response. Since Shopware 6.5.8.0, the 404 pages are cached to improve the performance of 404 pages. So the cached Response which contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. When Redis is in use for Sessions using the PHP Redis extension, this exploiting code is not used. Shopware version 6.5.8.7 contains a patch for this issue. As a workaround, use Redis for Sessions, as this does not trigger the exploit code.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 09/10/2025

This vulnerability affects Shopware versions prior to 6.5.8.7 and stems from a session handling flaw within the Symfony Framework integration. The issue manifests when the Symfony Session Handler processes responses containing session cookies, particularly in the context of cached 404 error pages. When Shopware 6.5.8.0 introduced caching for 404 pages to enhance performance, it inadvertently created a scenario where session cookies could be improperly handled during the response generation process. The vulnerability occurs because the Symfony Session Handler pops session cookies from the request and assigns them to the response, but this mechanism fails when the cached response is generated before a session cookie has been established.

The technical flaw lies in the interaction between the Symfony session management component and Shopware's caching mechanism for error pages. When browsers access 404 pages that have been cached, they do not yet possess session cookies, yet the Symfony Session Handler still attempts to process and assign session identifiers to the response. This creates a potential session fixation vulnerability where session tokens could be manipulated or exposed during the response handling process. The flaw is particularly concerning because it leverages the default session configuration that occurs when no explicit session settings are defined, making it an automatic risk for installations that rely on the platform's default behavior.

The operational impact of this vulnerability extends beyond simple session management issues, as it could potentially allow attackers to manipulate session tokens or gain unauthorized access to user sessions. The vulnerability is classified under CWE-384 as it relates to session management flaws that can lead to session hijacking or fixation attacks. When combined with other exploitation techniques, this vulnerability could enable attackers to maintain persistent access to user accounts or perform actions with elevated privileges. The risk is heightened because the issue affects default configurations and does not require specific user interaction to exploit, making it particularly dangerous for public-facing e-commerce platforms that rely heavily on session-based authentication.

Organizations can mitigate this vulnerability through several approaches, with the most effective being the implementation of Redis-based session storage as a workaround. This solution bypasses the vulnerable code path entirely since Redis sessions use a different code execution path that does not trigger the problematic session cookie handling. Additionally, upgrading to Shopware version 6.5.8.7 or later resolves the issue through proper session handling logic that prevents the inappropriate assignment of session cookies to cached responses. The mitigation strategy aligns with ATT&CK technique T1548.005 which focuses on privilege escalation through session management vulnerabilities, and represents a critical security measure for maintaining user session integrity in web applications. Organizations should also implement proper session configuration management and regularly audit their session handling mechanisms to prevent similar issues from arising in other components of their web applications.

Responsible

GitHub, Inc.

Reservation

02/28/2024

Disclosure

03/06/2024

Moderation

accepted

CPE

ready

EPSS

0.00611

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!