CVE-2023-34098

Name of the Vulnerable Software and Affected Versions Shopware versions prior to 5.7.18

Description The issue arises from an incorrect configuration in the .htaccess file, allowing the configuration file of Javascript dependencies to be read in production environments, specifically the themes/package-lock.json file. This information could be used by an attacker to determine the specific Shopware version in a deployment, potentially leading to further attacks.

Recommendations For versions prior to 5.7.18, update to version 5.7.18 to resolve the issue. This update can be obtained via the Auto-Updater or directly from the release page. For older versions, consider using the Security Plugin as an alternative solution. As a temporary workaround, consider restricting access to the themes/package-lock.json file until the update is applied.