CVE-2021-32717

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-32717

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32717.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-32717

Aliases

Published

2021-06-24T21:15:08Z

Modified

2024-06-06T13:42:03.421503Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities.

References

Affected packages

Git / github.com/shopware/platform

Affected ranges

Type: GIT
Repo: https://github.com/shopware/platform
Events: Introduced

01c209a305adaabaf894e6929290c69c4a07adef

Fixed

5940dfe864da0bcf694534f560820d4a5df2f8b9

Type: GIT
Repo: https://github.com/shopware/shopware
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ba52f683372b8417a00e9014f481ed3d539f34b3

Affected versions

v6.*

v6.0.0+dp1

v6.0.0+ea1

v6.0.0+ea1.1

v6.0.0+ea2

v6.1.0

v6.1.0-rc1

v6.1.0-rc2

v6.1.0-rc3

v6.1.0-rc4

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.2.0

v6.2.0-RC1

v6.2.1

v6.2.2

v6.2.3

v6.3.0.0

v6.3.0.1

v6.3.0.2

v6.3.3.0

v6.3.3.1

v6.3.4.1

v6.3.5.0

v6.4.1.0