CVE-2022-21652

Sažetak

Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted, so that sessions created prior to the latest password change of a customer account can't be used to login with said account. This also means, that upon a password change, all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

Reference

https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022
https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6
https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0

CVSS

Base:	5.5
Impact:	4.9
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:P/A:N

Zadnje važnije ažuriranje

12-01-2022 - 18:28

Objavljeno

05-01-2022 - 20:15