N/A

CVSS Score

Basic Information

CVE ID

CVE-2024-27917

GHSA ID

GHSA-c2f9-4jmm-v45m

EPSS Score

0.15852%

CWE

CWE-524

Published

3/6/2024

Updated

3/6/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-27917

CVE-2024-27917: Shopware's session is persistent in Cache for 404 pages

Impact

The Symfony Session Handler, pop's the Session Cookie and assign it to the Response. Since Shopware 6.5.8.0 the 404 pages, are cached, to improve the performance of 404 pages. So the cached Response, contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The Symfony Session Handler is in use, when no explicit Session configuration has been done. When Redis is in use for Sessions using the PHP Redis extension, this exploiting code is not used.

Patches

Update to Shopware version 6.5.8.7

Workarounds

Using Redis for Sessions, as this does not trigger the exploit code. Example configuration for Redis

# php.ini
session.save_handler = redis
session.save_path = "tcp://127.0.0.1:6379"

Consequences

As an guest browser session has been cached on a 404 page, every missing image or directly reaching a 404 page will logout the customer or clear his cart.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2024-27917

GHSA ID

GHSA-c2f9-4jmm-v45m

EPSS Score

0.15852%

CWE

CWE-524

Published

3/6/2024

Updated

3/6/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shopware/storefront	composer	>= 6.5.8.0, < 6.5.8.7	6.5.8.7
shopware/platform	composer	>= 6.5.8.0, < 6.5.8.7	6.5.8.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from cached 404 responses retaining session cookies. The commit diff shows the fix added session cookie removal logic directly in NotFoundSubscriber::onError. Prior to the patch, this method would cache responses without sanitizing cookies, making it the vulnerable entry point. The session cookie handling by Symfony's AbstractSessionHandler combined with missing cookie cleanup in the caching flow created the exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** Sym*ony S*ssion **n*l*r, pop's t** S*ssion *ooki* *n* *ssi*n it to t** R*spons*. Sin** S*opw*r* *.*.*.* t** *** p***s, *r* ******, to improv* t** p*r*orm*n** o* *** p***s. So t** ****** R*spons*, *ont*ins * S*ssion *ooki* w**n t** *ro

Reasoning

T** vuln*r**ility st*ms *rom ****** *** r*spons*s r*t*inin* s*ssion *ooki*s. T** *ommit *i** s*ows t** *ix ***** s*ssion *ooki* r*mov*l lo*i* *ir**tly in Not*oun*Su*s*ri**r::on*rror. Prior to t** p*t**, t*is m*t*o* woul* ***** r*spons*s wit*out s*nit

N/A

Basic Information

Concerned about an active attack path?

CVE-2024-27917: Shopware's session is persistent in Cache for 404 pages

Impact

Patches

Workarounds

Consequences

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI