Security Update 07/2023

General Information

In this security release, we have resolved a vulnerability of the threat level "low". Affected are all Shopware versions including 6.5.3.1. The following issue has been fixed with this security update:

NEXT-29146 - Composer league/oauth2-server upgrade, to fix a known security issue in that library.

The issue only exists if a non-standard key configuration is used in combination with an invalid key.
The key is also only exposed if exceptions are forwarded to the client. But it might be exposed in the logs regardless.

We recommend updating your 6.5 version to 6.5.3.2. You can update via the auto-updater.

For older versions you can check for one of these patterns in your configuration to figure out, if you are affected by this vulnerability:

shopware.yaml:

shopware:
    api:
        jwt_key:
            private_key_path: '%env(base64:JWT_PRIVATE_KEY)%'
            public_key_path: '%env(base64:JWT_PUBLIC_KEY)%'
or

services.yaml:

services:
    shopware.public_key:
        class: League\OAuth2\Server\CryptKey
        arguments: ["%env(base64:JWT_PUBLIC_KEY)%"]

    shopware.private_key:
        class: League\OAuth2\Server\CryptKey
        arguments: ["%env(base64:JWT_PRIVATE_KEY)%"]
Please get in touch with your agency, if you find these patterns in your configuration. Unfortunately, due to technical reasons, it is not possible for us to provide a general solution for older versions and you might need an individual adjustment for your environment.

Was this article helpful?

Version

6.1.0 - 6.5.3.1