Описание
Shopware Has Improper Control of Generation of Code in Twig rendered views
Impact
We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list
Patches
The problem has been fixed with 6.4.20.1 with an improved override.
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
Ссылки
- https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f
- https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f
- https://nvd.nist.gov/vuln/detail/CVE-2023-2017
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023
- https://github.com/shopware/platform/releases/tag/v6.4.20.1
- https://starlabs.sg/advisories/23/23-2017
Пакеты
shopware/platform
<= 6.4.20.0
6.4.20.1
shopware/core
<= 6.4.20.0
6.4.20.1
Связанные уязвимости
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.