Shopware up to 6.1/6.2/6.3.5.1 session fixiation

Summaryinfo

A vulnerability classified as critical was found in Shopware up to 6.1/6.2/6.3.5.1. This affects an unknown function. Such manipulation leads to session fixiation. This vulnerability is listed as CVE-2021-32710. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in Shopware up to 6.1/6.2/6.3.5.1 and classified as critical. Affected by this issue is an unknown function. The manipulation with an unknown input leads to a session fixiation vulnerability. Using CWE to declare the problem leads to CWE-384. Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions. Impacted is confidentiality, integrity, and availability.

The weakness was presented 06/25/2021. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2021-32710. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Upgrading to version 6.3.5.2 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2021-2034). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Shopware

Version

• 6.0
• 6.1
• 6.2
• 6.3.5.0
• 6.3.5.1

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion