CVE-2024-42357 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2024-42357?

CVE-2024-42357 has a CVSS score of 7.3 (HIGH). This CVE describes a SQL injection vulnerability in Shopware's application API search functionality. Attackers can exploit the 'name' field in the 'aggregations' object to execute arbitrary SQL commands. All Shopware instances running vulnerable versions are affected.

📋 TL;DR

This CVE describes a SQL injection vulnerability in Shopware's application API search functionality. Attackers can exploit the 'name' field in the 'aggregations' object to execute arbitrary SQL commands. All Shopware instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Shopware

Versions: All versions prior to 6.6.5.1 and 6.5.8.13; also affects older 6.1, 6.2, 6.3, and 6.4 versions

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default API search functionality; no special configuration required for exploitation.

📦 What is this software?

Shopware by Shopware

View all CVEs affecting Shopware →

Shopware by Shopware

View all CVEs affecting Shopware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data theft, modification, or deletion, potentially leading to complete system takeover if database privileges permit.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information like customer data, orders, or administrative credentials.

🟢

If Mitigated

Limited impact due to input validation, parameterized queries, or database user restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires API access; SQL injection via the 'name' parameter in aggregations object is straightforward for attackers with API credentials.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.5.1 or 6.5.8.13

Vendor Advisory: https://github.com/shopware/shopware/security/advisories/GHSA-p6w9-r443-r752

Restart Required: Yes

Instructions:

1. Update Shopware to version 6.6.5.1 or 6.5.8.13. 2. For older versions (6.1-6.4), install the security plugin provided by Shopware. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject SQL keywords and special characters in the 'name' parameter of API requests.

API Access Restriction

all

Temporarily restrict or disable API access to the vulnerable search endpoint until patching is complete.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns in API requests.
Restrict database user permissions to minimize potential damage from successful exploitation.

🔍 How to Verify

Check if Vulnerable:

Check Shopware version via admin panel or by examining the composer.lock file for version numbers below 6.6.5.1 or 6.5.8.13.

Check Version:

php bin/console --version

Verify Fix Applied:

Confirm version is 6.6.5.1 or higher, or 6.5.8.13 or higher; test API search with SQL injection attempts to ensure they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
API requests containing SQL keywords in 'aggregations.name' parameter
Error logs showing SQL syntax errors from API endpoints

Network Indicators:

HTTP POST requests to /api/search endpoints with suspicious 'name' parameters
Unusual traffic patterns to Shopware API

SIEM Query:

source="shopware_logs" AND ("aggregations.name" AND (SELECT, UNION, OR, --, /*))

📊 Metadata

CVE ID: CVE-2024-42357

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-89

Published: August 8, 2024

Last Updated: August 12, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42357, you might also want to check these: