CVE-2022-21652 Information

Description

Shopware is an open source e-commerce software platform. In affected versions shopware would not invalidate a user session in the event of a password change. With version 5.7.7 the session validation was adjusted so that sessions created prior to the latest password change of a customer account can’t be used to login with said account. This also means that upon a password change all existing sessions for a given customer account are automatically considered invalid. There is no workaround for this issue.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Reference

https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-01-2022 https://github.com/shopware/shopware/security/advisories/GHSA-p523-jrph-qjc6 https://github.com/shopware/shopware/commit/47ebd126a94f4b019b6fde64c0df3d18d74ef7d0

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1