CVE-2021-32716

Description

### Impact The admin api has exposed some internal hidden fields when an association has been loaded with a to many reference ### Patches We recommend updating to the current version 6.4.1.1. You can get the update to 6.4.1.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659

How to fix CVE-2021-32716

To remediate CVE-2021-32716, upgrade the affected package to a fixed version below.

• —upgrade to 6.4.1.1 or later
• —upgrade to 6.4.1.1 or later
• —upgrade to 6.4.1.1 or later

Is CVE-2021-32716 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 6.4.1.1
• from 0, < 6.4.1.1
• from 0, < 6.4.1.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32716
• WEBdocs.shopware.com/en/shopware-6-en/security-updates/security-update-06-2021
• WEBgithub.com/shopware/platform/commit/b5c3ce3e93bd121324d72aa9d367cb636ff1c0eb
• WEBgithub.com/shopware/platform/security/advisories/GHSA-gpmh-g94g-qrhr