CVE-2021-37711

Published: Aug 16, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Versions prior to 6.4.3.1 contain an authenticated server-side request forgery vulnerability in file upload via URL. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

Affected (1)

Products: Shopware: Shopware

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Shopware Shopware	From 6.1.0 to 6.4.3.1

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (4)

https://github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/shopware/platform/security/advisories/GHSA-gcvv-gq92-x94r

Source: security-advisories@github.com

Third Party Advisory

https://github.com/shopware/platform/commit/b9f330e652b743dd2374c02bbe68f28b59a3f502

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/shopware/platform/security/advisories/GHSA-gcvv-gq92-x94r

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.