CVE-2023-2017

Name of the Vulnerable Software and Affected Versions Shopware versions 6.4.20.0 and earlier, and 6.5.0.0-rc1 through 6.5.0.0-rc4

Description The software is susceptible to a Server-side Template Injection (SSTI) issue within the Twig environment. This allows remote attackers, with access to a Twig environment lacking the Sandbox extension, to bypass validation checks in the ShopwareCoreFrameworkAdapterTwigSecurityExtension. By utilizing fully-qualified names supplied as an array of strings when referencing callables, attackers can invoke arbitrary PHP functions and potentially execute arbitrary code or commands. The issue stems from insufficient checks on PHP Closures passed as strings or arrays, which were not validated against an allow list.

Recommendations Shopware versions 6.4.20.0 and earlier should be upgraded to version 6.4.20.1 to resolve this issue. Shopware versions 6.5.0.0-rc1 through 6.5.0.0-rc4 should be upgraded to a patched version. For older versions of 6.1, 6.2, and 6.3, utilize the available security plugin as a mitigation.