Improper Neutralization of Special Elements Used in a Template Engine

CVE-2023-2017

High

8.8/10

Summary

Server-side Template Injection (SSTI) in shopware/core versions 6.4.18.1 through 6.4.20.0, 6.5.0.0-rc1 through 6.5.0.0-rc4, and 6.5.99.99 and shopware/platform versions 6.4.18.1 through 6.4.20.0, 6.5.0.0-rc1 through 6.5.0.0-rc4, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in "Shopware\Core\Framework\Adapter\Twig\SecurityExtension" and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. This is a bypass of CVE-2023-22731.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.

References

Advisory Timeline

Published Apr 17, 2023

Improper Neutralization of Special Elements Used in a Template Engine

CVE-2023-2017

Summary

CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS