CVE-2022-21652

Опубликовано: 05 янв. 2022

Источник: nvd

CVSS3: 3.5

CVSS3: 8.1

CVSS2: 5.5

EPSS Низкий

Описание

Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

Ссылки

https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022
Patch
Vendor Advisory
https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0
Patch
Third Party Advisory
https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6
Patch
Third Party Advisory
https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022
Patch
Vendor Advisory
https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0
Patch
Third Party Advisory
https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

Версия от 5.7.3 (включая) до 5.7.7 (исключая)

EPSS

Процентиль: 53%

0.00303

Низкий

3.5 Low

CVSS3

8.1 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-613

Связанные уязвимости

GHSA-p523-jrph-qjc6

CVSS3: 3.5

github

около 4 лет назад

Insufficient Session Expiration in shopware

EPSS

Процентиль: 53%

0.00303

Низкий

3.5 Low

CVSS3

8.1 High

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-613