github - ghsa-7v2v-9rm4-7m8f

GHSA-7V2V-9RM4-7M8F

Vulnerability from github – Published: 2023-04-18 13:14 – Updated: 2023-04-18 13:14

Summary

Improper Control of Generation of Code in Twig rendered views

Details

Impact

We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list

Patches

The problem has been fixed with 6.4.20.1 with an improved override.

Workarounds

For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023?category=security-updates

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.20.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 6.4.20.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "shopware/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.4.20.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-18T13:14:20Z",
    "nvd_published_at": "2023-04-17T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWe fixed with [CVE-2023-22731](https://github.com/shopware/platform/security/advisories/GHSA-93cw-f5jj-x85w) Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list\n\n### Patches\nThe problem has been fixed with 6.4.20.1 with an improved override.\n\n### Workarounds\nFor older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.\n\n### References\n\nhttps://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023?category=security-updates\n\n",
  "id": "GHSA-7v2v-9rm4-7m8f",
  "modified": "2023-04-18T13:14:20Z",
  "published": "2023-04-18T13:14:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2017"
    },
    {
      "type": "WEB",
      "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shopware/platform"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shopware/platform/releases/tag/v6.4.20.1"
    },
    {
      "type": "WEB",
      "url": "https://starlabs.sg/advisories/23/23-2017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Control of Generation of Code in Twig rendered views"
}

CVE-2023-2017 (GCVE-0-2023-2017)

Vulnerability from cvelistv5 – Published: 2023-04-17 10:18 – Updated: 2025-02-05 20:46

Summary

Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-184 - Incomplete List of Disallowed Inputs
CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

Assigner

STAR_Labs

References

URL

Tags

	https://docs.shopware.com/en/shopware-6-en/securi…	vendor-advisory
	https://github.com/shopware/platform/security/adv…	vendor-advisory
	https://starlabs.sg/advisories/23/23-2017/	third-party-advisory

Impacted products

	Vendor	Product	Version
	Shopware AG	Shopware 6	Affected: 0 , ≤ 6.4.20.0 (semver) Affected: 6.5.0.0-rc1 , ≤ 6.5.0.0-rc4 (semver)

Credits

Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T06:12:19.518Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://starlabs.sg/advisories/23/23-2017/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-2017",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-05T20:46:34.501269Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-05T20:46:43.936Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Shopware 6",
          "vendor": "Shopware AG",
          "versions": [
            {
              "lessThanOrEqual": "6.4.20.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.0.0-rc4",
              "status": "affected",
              "version": "6.5.0.0-rc1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Server-side Template Injection (SSTI) in Shopware 6 (\u0026lt;= v6.4.20.0, v6.5.0.0-rc1 \u0026lt;= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\\Core\\Framework\\Adapter\\Twig\\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.\u003cbr\u003e"
            }
          ],
          "value": "Server-side Template Injection (SSTI) in Shopware 6 (\u003c= v6.4.20.0, v6.5.0.0-rc1 \u003c= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\\Core\\Framework\\Adapter\\Twig\\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184 Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1336",
              "description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-19T06:34:45.957Z",
        "orgId": "b1571b85-cbc9-431f-830b-0c8155323a69",
        "shortName": "STAR_Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://starlabs.sg/advisories/23/23-2017/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\nUsers are advised to upgrade to v6.4.20.1 to resolve this issue.\n\n\u003cbr\u003e"
            }
          ],
          "value": "Users are advised to upgrade to v6.4.20.1 to resolve this issue.\n\n\n"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Improper Control of Generation of Code in Twig Rendered Views in Shopware",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b1571b85-cbc9-431f-830b-0c8155323a69",
    "assignerShortName": "STAR_Labs",
    "cveId": "CVE-2023-2017",
    "datePublished": "2023-04-17T10:18:27.543Z",
    "dateReserved": "2023-04-13T04:21:56.530Z",
    "dateUpdated": "2025-02-05T20:46:43.936Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-7V2V-9RM4-7M8F

Impact

Patches

Workarounds

References

CVE-2023-2017 (GCVE-0-2023-2017)

Tags

Sightings

Nomenclature