CVE-2022-24748 - OpenCVE

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shopware	Shopware

Configuration 1 [-]

cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0
https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-09T22:25:09

Updated: 2024-08-03T04:20:49.934Z

Reserved: 2022-02-10T00:00:00

Link: CVE-2022-24748

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-09T23:15:08.373

Modified: 2023-06-23T19:17:08.653

Link: CVE-2022-24748

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "platform", "vendor": "shopware", "versions": [{"status": "affected", "version": "< 6.4.8.2"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287: Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-03-09T22:25:09", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}], "source": {"advisory": "GHSA-83vp-6jqg-6cmr", "discovery": "UNKNOWN"}, "title": "Incorrect Authentication in shopware", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-24748", "STATE": "PUBLIC", "TITLE": "Incorrect Authentication in shopware"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "platform", "version": {"version_data": [{"version_value": "< 6.4.8.2"}]}}]}, "vendor_name": "shopware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287: Improper Authentication"}]}]}, "references": {"reference_data": [{"name": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr", "refsource": "CONFIRM", "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"name": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0", "refsource": "MISC", "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}]}, "source": {"advisory": "GHSA-83vp-6jqg-6cmr", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.934Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-24748", "datePublished": "2022-03-09T22:25:09", "dateReserved": "2022-02-10T00:00:00", "dateUpdated": "2024-08-03T04:20:49.934Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "99D92123-B959-4BEA-9A76-33FE0FBBD691", "versionEndExcluding": "6.4.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In versions prior to 6.4.8.2 it is possible to modify customers and to create orders without App Permission. This issue is a result of improper api route checking. Users are advised to upgrade to version 6.4.8.2. There are no known workarounds."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierto basada en el framework php Symfony y el framework javascript Vue. En versiones anteriores a 6.4.8.2, es posible modificar clientes y crear pedidos sin el permiso de la aplicaci\u00f3n. Este problema es el resultado de una comprobaci\u00f3n inapropiada de la ruta de la API. Es recomendado a usuarios actualizar a versi\u00f3n 6.4.8.2. No se presentan medidas de mitigaci\u00f3n conocidas"}], "id": "CVE-2022-24748", "lastModified": "2023-06-23T19:17:08.653", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-09T23:15:08.373", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/core/commit/329e4d7e028dd8081496cf8bd3acc822000b0ec0"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/shopware/platform/security/advisories/GHSA-83vp-6jqg-6cmr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "security-advisories@github.com", "type": "Secondary"}]}