Login Sign Up

CVE-2024-22406

9.3 CRITICAL
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in Shopware's API search functionality. Attackers can exploit the 'name' field in aggregations parameters to execute arbitrary SQL queries, potentially leading to data theft or system compromise. All Shopware instances with vulnerable versions are affected.

💻 Affected Systems

Products:
  • Shopware
Versions: Shopware versions prior to 6.5.7.4, and older versions 6.1, 6.2, 6.3, 6.4 without security plugin
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations with API access are vulnerable. The vulnerability is in the core API functionality.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive customer data, admin credentials, and potential remote code execution leading to full system takeover.

🟠

Likely Case

Data exfiltration of customer information, order history, and potentially administrative credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only affecting non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires API access but SQL injection via time-based queries is well-documented and relatively simple to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Shopware 6.5.7.4

Vendor Advisory: https://github.com/shopware/shopware/security/advisories/GHSA-qmp9-2xwj-m6m9

Restart Required: Yes

Instructions:

1. Update to Shopware 6.5.7.4 or later. 2. For older versions (6.1-6.4), install the security plugin provided by Shopware. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for the 'name' field in aggregations API calls to reject SQL injection patterns

API Access Restriction

all

Temporarily restrict or disable API access to the vulnerable search functionality

🧯 If You Can't Patch

  • Implement WAF rules to block SQL injection patterns in API requests
  • Restrict database user permissions to minimize potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check Shopware version via admin panel or by examining the application files. Versions below 6.5.7.4 are vulnerable unless patched with security plugin.

Check Version:

Check Shopware version in admin panel or via composer show shopware/platform

Verify Fix Applied:

Verify installation of Shopware 6.5.7.4 or later, or confirm security plugin is installed for older versions.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed API requests with SQL-like patterns
  • Long-running API requests suggesting time-based SQL injection

Network Indicators:

  • Unusual API traffic patterns to search endpoints
  • Requests containing SQL keywords in 'name' parameter

SIEM Query:

source="shopware_logs" AND (message="*aggregations*" AND message="*name*" AND (message="*SELECT*" OR message="*UNION*" OR message="*SLEEP*"))

📊 Metadata

CVE ID: CVE-2024-22406
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
CWE: CWE-89
Published: January 16, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22406, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)