SCA: security update for shopware/platform (GHSA-6gr8-c3m5-mvrg)

high Tenable Cloud Security Plugin ID 411445

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Shopware is an open source eCommerce platform. In versions prior to 6.4.1.1 private files publicly
accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change
their configuration to set the correct visibility according to the documentation. The visibility must be
at the same level as `type`. When the Storage is saved on Amazon AWS we recommending disabling public
access to the bucket containing the private files:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html. Otherwise,
update to Shopware 6.4.1.1 or install or update the Security plugin
(https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659) and run the command
`./bin/console s3:set-visibility` to correct your cloud file visibilities. (CVE-2021-32717)

See Also

https://github.com/advisories/GHSA-6gr8-c3m5-mvrg

Plugin Details

Severity: High

ID: 411445

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-32717

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/8/2021

Vulnerability Publication Date: 6/24/2021

Reference Information

CVE: CVE-2021-32717