Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/shopware/core@6.4.20%2B1
Typecomposer
Namespaceshopware
Namecore
Version6.4.20+1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version6.5.7+4
Latest_non_vulnerable_version6.7.8+1
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-4m2y-d8vg-b7fj
vulnerability_id VCID-4m2y-d8vg-b7fj
summary 
Improper Control of Generation of Code ('Code Injection')
Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.
references
0
reference_url https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023
reference_id
reference_type
scores
url https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023
1
reference_url https://github.com/shopware/platform
reference_id
reference_type
scores
url https://github.com/shopware/platform
2
reference_url https://github.com/shopware/platform/releases/tag/v6.4.20.1
reference_id
reference_type
scores
url https://github.com/shopware/platform/releases/tag/v6.4.20.1
3
reference_url https://starlabs.sg/advisories/23/23-2017
reference_id
reference_type
scores
url https://starlabs.sg/advisories/23/23-2017
4
reference_url https://starlabs.sg/advisories/23/23-2017/
reference_id
reference_type
scores
url https://starlabs.sg/advisories/23/23-2017/
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-2017
reference_id CVE-2023-2017
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-2017
6
reference_url https://github.com/advisories/GHSA-7v2v-9rm4-7m8f
reference_id GHSA-7v2v-9rm4-7m8f
reference_type
scores
url https://github.com/advisories/GHSA-7v2v-9rm4-7m8f
7
reference_url https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f
reference_id GHSA-7v2v-9rm4-7m8f
reference_type
scores
url https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8f
8
reference_url https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f
reference_id GHSA-7v2v-9rm4-7m8f
reference_type
scores
url https://github.com/shopware/shopware/security/advisories/GHSA-7v2v-9rm4-7m8f
fixed_packages
0
url pkg:composer/shopware/core@6.4.20%2B1
purl pkg:composer/shopware/core@6.4.20%2B1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.20%252B1
aliases CVE-2023-2017, GHSA-7v2v-9rm4-7m8f
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4m2y-d8vg-b7fj
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/shopware/core@6.4.20%252B1