{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22407", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-10T15:09:55.549Z", "datePublished": "2024-01-16T22:29:06.955Z", "dateUpdated": "2024-11-13T19:39:35.421Z"}, "containers": {"cna": {"title": "Broken Access Control order API in Shopware", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf"}], "affected": [{"vendor": "shopware", "product": "shopware", "versions": [{"version": "<  6.5.7.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-16T22:29:06.955Z"}, "descriptions": [{"lang": "en", "value": "Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version."}], "source": {"advisory": "GHSA-3867-jc5c-66qf", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.954Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-23T16:09:33.514980Z", "id": "CVE-2024-22407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T19:39:35.421Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.954Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T16:09:33.514980Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T19:39:31.919Z"}}], "cna": {"title": "Broken Access Control order API in Shopware", "source": {"advisory": "GHSA-3867-jc5c-66qf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "shopware", "product": "shopware", "versions": [{"status": "affected", "version": "<  6.5.7.4"}]}], "references": [{"url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "name": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-16T22:29:06.955Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22407", "state": "PUBLISHED", "dateUpdated": "2024-11-13T19:39:35.421Z", "dateReserved": "2024-01-10T15:09:55.549Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-16T22:29:06.955Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shopware:shopware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0B083B7F-D749-44B1-8C9C-2A28013E210E", "versionEndExcluding": "6.5.7.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Shopware is an open headless commerce platform. In the Shopware CMS, the state handler for orders fails to sufficiently verify user authorizations for actions that modify the payment, delivery, and/or order status. Due to this inadequate implementation, users lacking 'write' permissions for orders are still able to change the order state. This issue has been addressed and users are advised to update to Shopware 6.5.7.4. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version."}, {"lang": "es", "value": "Shopware es una plataforma de comercio abierta y sin cabeza. En Shopware CMS, el controlador de estado de los pedidos no verifica suficientemente las autorizaciones del usuario para las acciones que modifican el pago, la entrega y/o el estado del pedido. Debido a esta implementaci\u00f3n inadecuada, los usuarios que carecen de permisos de \"write\" para pedidos a\u00fan pueden cambiar el estado del pedido. Este problema se solucion\u00f3 y se recomienda a los usuarios que actualicen a Shopware 6.5.7.4. Para versiones anteriores de 6.1, 6.2, 6.3 y 6.4, las medidas de seguridad correspondientes tambi\u00e9n est\u00e1n disponibles a trav\u00e9s de un complemento. Para obtener la gama completa de funciones, recomendamos actualizar a la \u00faltima versi\u00f3n de Shopware."}], "id": "CVE-2024-22407", "lastModified": "2024-11-21T08:56:13.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-16T23:15:08.453", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/shopware/shopware/security/advisories/GHSA-3867-jc5c-66qf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}