PT-2020-13826 · Shopware · Shopware

Published

2020-07-28

Updated

2022-05-24

CVE-2020-13997

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.2.3

Description The database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled. This issue does not affect the Shopware 5 release branch.

Recommendations For versions prior to 6.2.3, update to version 6.2.3 or later to resolve the issue. As a temporary workaround, consider disabling verbose error handling until a patch is available. Restrict access to error logs to minimize the risk of exploitation.

Fix

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-209

Related Identifiers

CVE-2020-13997

GHSA-R4PH-MX67-X58P

Affected Products

Shopware

PT-2020-13826 · Shopware · Shopware

CVE-2020-13997

Weakness Enumeration

Related Identifiers

Affected Products

References · 6