Headline
GHSA-7v2v-9rm4-7m8f: Improper Control of Generation of Code in Twig rendered views
Impact
We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list
Patches
The problem has been fixed with 6.4.20.1 with an improved override.
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023?category=security-updates
Package
composer shopware/core (Composer)
Affected versions
<= 6.4.20.0
Patched versions
6.4.20.1
composer shopware/platform (Composer)
<= 6.4.20.0
6.4.20.1
Description
Impact
We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list
Patches
The problem has been fixed with 6.4.20.1 with an improved override.
Workarounds
For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.
References
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023?category=security-updates
References
- GHSA-7v2v-9rm4-7m8f
- https://nvd.nist.gov/vuln/detail/CVE-2023-2017
- https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023
- https://github.com/shopware/platform/releases/tag/v6.4.20.1
shyim published to shopware/platform
Apr 17, 2023
Published by the National Vulnerability Database
Apr 17, 2023
Published to the GitHub Advisory Database
Apr 18, 2023
Reviewed
Apr 18, 2023
Last updated
Apr 18, 2023
Related news
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.