Vulnerabilities > CVE-2019-12799 - Deserialization of Untrusted Data vulnerability in Shopware
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In createInstanceFromNamedArguments in Shopware through 5.6.x, a crafted web request can trigger a PHP object instantiation vulnerability, which can result in an arbitrary deserialization if the right class is instantiated. An attacker can leverage this deserialization to achieve remote code execution. NOTE: this issue is a bypass for a CVE-2017-18357 whitelist patch.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Metasploit
| description | This module exploits a php object instantiation vulnerability that can lead to RCE in Shopware. An authenticated backend user could exploit the vulnerability. The vulnerability exists in the createInstanceFromNamedArguments function, where the code insufficiently performs whitelist check which can be bypassed to trigger an object injection. An attacker can leverage this to deserialize an arbitrary payload and write a webshell to the target system, resulting in remote code execution. Tested on Shopware git branches 5.6, 5.5, 5.4, 5.3. |
| id | MSF:EXPLOIT/MULTI/HTTP/SHOPWARE_CREATEINSTANCEFROMNAMEDARGUMENTS_RCE |
| last seen | 2020-06-14 |
| modified | 2019-09-12 |
| published | 2019-05-09 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb |
| title | Shopware createInstanceFromNamedArguments PHP Object Instantiation RCE |