7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32717

GHSA ID

GHSA-6gr8-c3m5-mvrg

EPSS Score

0.60463%

CWE

CWE-200

Published

9/8/2021

Updated

1/29/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32717

CVE-2021-32717:
Exposure of Sensitive Information to an Unauthorized Actor

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as type. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command ./bin/console s3:set-visibility to correct your cloud file visibilities.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32717

GHSA ID

GHSA-6gr8-c3m5-mvrg

EPSS Score

0.60463%

CWE

CWE-200

Published

9/8/2021

Updated

1/29/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/platform	composer	<= 6.4.1.0	6.4.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from incorrect visibility configuration handling in cloud storage integration. The commit diff shows the fix involved modifying FilesystemFactory.php to properly read visibility from 'config.options.visibility' instead of a fallback. Prior to 6.4.1.1, this misconfiguration allowed private files to be stored with public access permissions if the hashed URL was known. The factory method is directly responsible for configuring the filesystem adapter's visibility settings, making it the root cause of the insecure default behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*opw*r* is *n op*n sour** **omm*r** pl*t*orm. In v*rsions prior to *.*.*.* priv*t* *il*s pu*li*ly ****ssi*l* wit* *lou* Stor*** provi**rs w**n t** **s*** URL is known. Us*rs *r* r**omm*n* to *irst ***n** t**ir *on*i*ur*tion to s*t t** *orr**t visi*i

Reasoning

T** vuln*r**ility st*ms *rom in*orr**t visi*ility *on*i*ur*tion **n*lin* in *lou* stor*** int**r*tion. T** *ommit *i** s*ows t** *ix involv** mo*i*yin* `*il*syst*m***tory.p*p` to prop*rly r*** visi*ility *rom '*on*i*.options.visi*ility' inst*** o* *

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-32717: Exposure of Sensitive Information to an Unauthorized Actor

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-32717:
Exposure of Sensitive Information to an Unauthorized Actor

Vulnerability Intelligence
Miggo AI