GMS-2020-593: Authenticated Server Side Request Forgery

December 21, 2020

Impact

Authenticated Server Side Request Forgery

Patches

We recommend to update to the current version 6.3.4.1. You can get the update to 6.3.4.1 regularly via the Auto-Updater or directly via the download overview.

https://www.shopware.com/en/download/#shopware-6

Workarounds

For older versions of 6.1 and 6.2 the corresponding changes are also available via plugin:

https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

For more information

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-12-2020

Credits

We would like to thank REQON B.V. for reporting this issue.

References

github.com/advisories/GHSA-8pfh-mm2g-hmc3
github.com/shopware/platform/security/advisories/GHSA-8pfh-mm2g-hmc3

Detect and mitigate GMS-2020-593 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →