Lucene search

GitHub Advisory DatabaseGHSA-59QG-93JG-236F

HistoryJan 20, 2023 - 11:18 p.m.

Shopware has Insufficient Session Expiration in Administration

2023-01-2023:18:17

CWE-613

GitHub Advisory Database

github.com

shopware

administration

session expiration

security update

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.8%

JSON

Impact

The Administration session expiration was set to one week, when an attacker has stolen the session cookie they could use it for a long period of time.

Patches

We added an automatic logout into the Administration, so the user will be logged out when they are inactive.

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

Affected configurations

Vulners

Node

shopwareshopwareRange≤6.4.18.0

CPENameOperatorVersion
shopware/corele6.4.18.0
shopware/platformle6.4.18.0

CPE	Name	Operator	Version
	shopware/core	le	6.4.18.0
	shopware/platform	le	6.4.18.0

References

docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates

github.com/advisories/GHSA-59qg-93jg-236f

github.com/shopware/platform/commit/cd7a89cbcd3a0428c6d1ef27b3aa15467a722ff6

github.com/shopware/platform/security/advisories/GHSA-59qg-93jg-236f

nvd.nist.gov/vuln/detail/CVE-2023-22732

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

55.8%

JSON

Related for GHSA-59QG-93JG-236F