GHSA-5297-wrrp-rcj7

Source

https://github.com/advisories/GHSA-5297-wrrp-rcj7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-5297-wrrp-rcj7/GHSA-5297-wrrp-rcj7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5297-wrrp-rcj7

Aliases

CVE-2024-31447

Published

2024-04-08T15:48:27Z

Modified

2024-04-10T18:57:27.460824Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Shopware Improper Session Handling in store-api account logout

Details

Impact

When a authentificated request is made to POST /store-api/account/logout, the cart will be cleared, but the User won't be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on CustomerLogoutEvent and invalidates the session additionally.

Patches

The problem has been fixed with Shopware 6.6.1.0 and 6.5.8.8.

Workarounds

When you are not able to update, you can install the latest version of the Shopware Security Plugin.

Database specific

{
    "nvd_published_at": "2024-04-08T16:15:08Z",
    "cwe_ids": [
        "CWE-613"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-08T15:48:27Z"
}

References

Affected packages

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.5.0

Fixed

6.5.8.8

Affected versions

6.*

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

v6.*

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.5.0

Fixed

6.5.8.8

Affected versions

6.*

6.3.5.0

6.3.5.1

6.3.5.2

6.3.5.3

6.3.5.4

6.4.0.0-RC1

6.4.0.0

6.4.1.0

6.4.1.1

6.4.1.2

6.4.2.0

6.4.2.1

6.4.3.0

6.4.3.1

6.4.4.0

6.4.4.1

6.4.5.0

6.4.5.1

6.4.6.0

6.4.6.1

6.4.7.0

6.4.8.0

6.4.8.1

6.4.8.2

6.4.9.0

6.4.10.0

6.4.10.1

6.4.11.0

6.4.11.1

6.4.12.0

6.4.13.0

6.4.14.0

6.4.15.0

6.4.15.1

6.4.15.2

6.4.16.0

6.4.16.1

6.4.17.0

6.4.17.1

6.4.17.2

6.4.18.0

6.4.18.1

6.4.19.0

6.4.20.0

6.4.20.1

6.4.20.2

6.5.0.0-rc1

6.5.0.0-rc2

6.5.0.0-rc3

6.5.0.0-rc4

6.5.0.0

v6.*

v6.5.1.0

v6.5.1.1

v6.5.2.0

v6.5.2.1

v6.5.3.0

v6.5.3.1

v6.5.3.2

v6.5.3.3

v6.5.4.0

v6.5.4.1

v6.5.5.0

v6.5.5.1

v6.5.5.2

v6.5.6.0

v6.5.6.1

v6.5.7.0

v6.5.7.1

v6.5.7.2

v6.5.7.3

v6.5.7.4

v6.5.8.0

v6.5.8.1

v6.5.8.2

v6.5.8.3

v6.5.8.4

v6.5.8.5

v6.5.8.6

v6.5.8.7

Packagist / shopware/core

Package

Name: shopware/core
Purl: pkg:composer/shopware/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0.0-rc1

Fixed

6.6.1.0

Affected versions

v6.*

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3

Packagist / shopware/platform

Package

Name: shopware/platform
Purl: pkg:composer/shopware/platform

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0.0-rc1

Fixed

6.6.1.0

Affected versions

v6.*

v6.6.0.0-rc1

v6.6.0.0-rc2

v6.6.0.0-rc3

v6.6.0.0-rc4

v6.6.0.0-rc5

v6.6.0.0-rc6

v6.6.0.0-rc7

v6.6.0.0

v6.6.0.1

v6.6.0.2

v6.6.0.3