Login Sign Up

CVE-2022-24872

8.1 HIGH
Authentication Bypass

📋 TL;DR

CVE-2022-24872 is an incorrect permission assignment vulnerability in Shopware where permissions granted via admin API in sales channel context remain active in normal user sessions. This allows authenticated users to potentially access administrative functions they shouldn't have. All Shopware installations using affected versions are vulnerable.

💻 Affected Systems

Products:
  • Shopware
Versions: Shopware 6.1.x, 6.2.x, 6.3.x, 6.4.x before 6.4.10.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Shopware installations using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated users could gain administrative privileges, leading to data theft, system compromise, or complete platform takeover.

🟠

Likely Case

Users with some permissions could escalate privileges to access restricted administrative functions and sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to potential unauthorized access to specific administrative functions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.10.1

Vendor Advisory: https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2022

Restart Required: No

Instructions:

1. Update to Shopware 6.4.10.1 via composer update or Shopware updater. 2. For older versions (6.1, 6.2, 6.3), install the security plugin from Shopware store. 3. Clear cache after update.

🧯 If You Can't Patch

  • Implement strict access control monitoring for administrative functions.
  • Segment network access to Shopware admin interfaces.

🔍 How to Verify

Check if Vulnerable:

Check Shopware version via admin panel or composer.json. If version is below 6.4.10.1 and no security plugin is installed for older versions, system is vulnerable.

Check Version:

php bin/console system:info | grep Version

Verify Fix Applied:

Verify version is 6.4.10.1 or higher, or confirm security plugin is installed for older versions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to admin API endpoints
  • Users accessing functions outside their normal role permissions

Network Indicators:

  • Increased traffic to administrative endpoints from non-admin users

SIEM Query:

source="shopware.logs" AND (event="admin_api_access" OR event="permission_violation") AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2022-24872
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-732
Published: April 20, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24872, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)