CVE-2021-32717

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 6.4.1.1

Description The issue concerns private files being publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommended to change their configuration to set the correct visibility according to the documentation, ensuring the visibility is at the same level as type. For Storage saved on Amazon AWS, disabling public access to the bucket containing the private files is advised.

Recommendations To resolve the issue, update to Shopware 6.4.1.1 or install or update the Security plugin and run the command ./bin/console s3:set-visibility to correct cloud file visibilities. As a temporary workaround, consider changing the configuration to set the correct visibility according to the documentation. When the Storage is saved on Amazon AWS, disable public access to the bucket containing the private files.