CVE-2021-32717 — HIGH (7.5)

Q: How severe is CVE-2021-32717?

CVE-2021-32717 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32717?

Check the references section above for vendor advisories and patch information. Affected products include: Shopware Shopware.

Vulnerability Description

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command `./bin/console s3:set-visibility` to correct your cloud file visibilities.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Shopware	Shopware	>= 6.1.0, < 6.4.1.1

Related Weaknesses (CWE)

CWE-732 CWE-200

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2PatchVendor Advisory
https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539fPatchThird Party Advisory
https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52vThird Party Advisory
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2PatchVendor Advisory
https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539fPatchThird Party Advisory
https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52vThird Party Advisory

FAQ

What is CVE-2021-32717?

CVE-2021-32717 is a vulnerability with a CVSS score of 7.5 (HIGH). Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first ch...

How severe is CVE-2021-32717?

CVE-2021-32717 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32717?

Check the references section above for vendor advisories and patch information. Affected products include: Shopware Shopware.