CVE-2023-2017: Shopware Has Improper Control of Generation of Code in Twig rendered views
(updated )
We fixed with CVE-2023-22731 Twig filters to only be executed with allowed functions. It is possible to pass PHP Closures as string or an array and array crafted PHP Closures was not checked against allow list
References
- docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023
- github.com/advisories/GHSA-7v2v-9rm4-7m8f
- github.com/shopware/platform
- github.com/shopware/platform/releases/tag/v6.4.20.1
- github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f
- github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f
- nvd.nist.gov/vuln/detail/CVE-2023-2017
- starlabs.sg/advisories/23/23-2017
Code Behaviors & Features
Detect and mitigate CVE-2023-2017 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →