CVE-2021-32717: Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the ha...

Description

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command `./bin/console s3:set-visibility` to correct your cloud file visibilities.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.46%

70.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Shopware	Shopware	>= 6.1.0, < 6.4.1.1

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021Patch, Vendor Advisory
https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3Patch, Third Party Advisory
https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52vThird Party Advisory
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021Patch, Vendor Advisory
https://github.com/shopware/platform/commit/ba52f683372b8417a00e9014f481ed3d539f34b3Patch, Third Party Advisory
https://github.com/shopware/platform/security/advisories/GHSA-vrf2-xghr-j52vThird Party Advisory

Timeline

Published: Jun 24, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-32717?

Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibility must be at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public access to the bucket containing the private files: https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise, update to Shopware 6.4.1.1 or install or update the Security plugin (https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command `./bin/console s3:set-visibility` to correct your cloud file visibilities.

How severe is CVE-2021-32717?

CVE-2021-32717 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.46% probability of exploitation in the next 30 days.

How do I fix CVE-2021-32717?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.