CVE-2023-2017

Name: CVE-2023-2017
Creator: NVD / NIST
Published: 2023-04-17T11:15:42.16+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.8/10EPSS 2.08%

Last modified Jun 17, 2026

CVE-2023-2017 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. EPSS estimates a 2.08% chance of exploitation in the next 30 days.

Description

Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731.

Metrics

CVSS 3.1

8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

2.08%

79.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Shopware	Shopware	>= 6.1.0, <= 6.4.20.0	—
Shopware	Shopware	6.5.0.0	Rc1

References

https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023Vendor Advisory
https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8fVendor Advisory
https://starlabs.sg/advisories/23/23-2017/Exploit, Mitigation, Third Party Advisory
https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-04-2023Vendor Advisory
https://github.com/shopware/platform/security/advisories/GHSA-7v2v-9rm4-7m8fVendor Advisory
https://starlabs.sg/advisories/23/23-2017/Exploit, Mitigation, Third Party Advisory

Timeline

Published: Apr 17, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-2017?

How severe is CVE-2023-2017?

CVE-2023-2017 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 2.08% probability of exploitation in the next 30 days.

How do I fix CVE-2023-2017?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-2017?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST