CVE-2021-37709 - Vulnerability Details - OpenCVE

Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shopware	Shopware

Configuration 1 [-]

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec
https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-16T22:05:12

Updated: 2024-08-04T01:23:01.522Z

Reserved: 2021-07-29T00:00:00

Link: CVE-2021-37709

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-08-16T22:15:08.130

Modified: 2024-11-21T06:15:45.713

Link: CVE-2021-37709

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "platform", "vendor": "shopware", "versions": [{"status": "affected", "version": "<= 6.4.3.0"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532: Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-16T22:05:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"}], "source": {"advisory": "GHSA-54gp-qff8-946c", "discovery": "UNKNOWN"}, "title": "Insecure direct object reference of log files of the Import/Export feature", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37709", "STATE": "PUBLIC", "TITLE": "Insecure direct object reference of log files of the Import/Export feature"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "platform", "version": {"version_data": [{"version_value": "<= 6.4.3.0"}]}}]}, "vendor_name": "shopware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-532: Insertion of Sensitive Information into Log File"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c", "refsource": "CONFIRM", "url": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"}, {"name": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec", "refsource": "MISC", "url": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"}]}, "source": {"advisory": "GHSA-54gp-qff8-946c", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:23:01.522Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37709", "datePublished": "2021-08-16T22:05:12", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.522Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "481D4300-1FB4-4307-8E13-EF6A0BB1BA46", "versionEndExcluding": "6.4.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a vulnerability involving an insecure direct object reference of log files of the Import/Export feature. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin."}, {"lang": "es", "value": "Shopware es una plataforma de comercio electr\u00f3nico de c\u00f3digo abierto. Las versiones anteriores a 6.4.3.1 contienen una vulnerabilidad que implica una referencia directa no segura a objetos de los archivos de registro de la funcionalidad Import/Export. La versi\u00f3n 6.4.3.1 contiene un parche. Como soluciones para las versiones anteriores de 6.1, 6.2 y 6.3, tambi\u00e9n est\u00e1n disponibles las medidas de seguridad correspondientes por medio de un plugin."}], "id": "CVE-2021-37709", "lastModified": "2024-11-21T06:15:45.713", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-16T22:15:08.130", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/commit/a9f52abb6eb503654c492b6b2076f8d924831fec"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-54gp-qff8-946c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}