advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

[GHSA-r4ph-mx67-x58p] Shopware database password is leaked to an unauthenticated users

Open mitelg opened this issue 1 year ago • 3 comments

Updates

  • Affected products

Comments The composer package name shopware/shopware refers to Shopware 5 and is a totally different system. See https://github.com/shopware5/shopware/blob/5.7/composer.json#L2 We just renamed the GitHub repository name from shopware/platform to shopware/shopware a while ago.

This urgently needs to be fixed, as it spreads misinformation about a wrong security issue on a project that is not affected

mitelg avatar Apr 26 '24 11:04 mitelg

Hi @mitelg, we appreciate this information. Just to confirm, what should the package name be updated to?

CallmeMari avatar Apr 26 '24 14:04 CallmeMari

hey @CallmeMari the affected packages are still in there. platform and core

mitelg avatar Apr 27 '24 12:04 mitelg

@CallmeMari any news on this? unfortunately the misinformation already spread a lot...

mitelg avatar Jun 10 '24 08:06 mitelg

Hi @mitelg! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

advisory-database[bot] avatar Jul 08 '24 18:07 advisory-database[bot]

Hey @mitelg, I'm so sorry this didn't get handled in a timely manner. I've pulled shopware/shopware as an affected product and added an explicit note to the advisory about shopware 5. I think I've found the correct fix commit as well in https://github.com/shopware/core/commit/3c759bbeeda8b59d6f3792f75a0ac28cffeef8c6 Does that look right to you?

darakian avatar Jul 08 '24 18:07 darakian

hey @darakian

thanks for merging and adding the note. I see on packagist, that the latest Shopware 5 releases are not longer marked as affected by this :+1:

Yes, that should be the fix, addressing this issue

mitelg avatar Jul 11 '24 10:07 mitelg

I see on packagist, that the latest Shopware 5 releases are not longer marked as affected by this 👍

👀

Do you know if packagist is pulling from our database for those markings? News to me if so.

darakian avatar Jul 11 '24 15:07 darakian

that's how I came to this repository in the first place 😁 I visited the page for Shopware 5 and was wondering why the latest version was marked with security advisories, although it has no known security issues

mitelg avatar Jul 11 '24 20:07 mitelg

TIL. I had no idea they were ingesting from us. Neat!

darakian avatar Jul 11 '24 20:07 darakian