CVE-2020-13997
Description
In Shopware before 6.2.3, the database password is leaked to an unauthenticated user when a DriverException occurs and verbose error handling is enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shopware before 6.2.3 leaks the database password to unauthenticated users when a DriverException occurs and verbose error handling is enabled.
Shopware version 6.2.2 and earlier are vulnerable to an information disclosure issue involving the database password. The vulnerability is triggered when a DriverException (likely related to the database connection) occurs and verbose error handling is enabled on the server. Under these conditions, the full database connection string, including the password, is included in the error output sent back to the user, without requiring authentication [1][2].
The attack surface is exposed to any unauthenticated user who can trigger a database-level error. This could be achieved by sending a malformed request or exploiting another condition that leads to a DriverException. No special privileges or network position is required beyond basic access to the Shopware instance. The vulnerability is directly exploitable over HTTP.
Successful exploitation allows an unauthenticated attacker to obtain the database credentials. With these credentials, the attacker could gain full access to the Shopware database, potentially reading, modifying, or deleting sensitive data such as customer information, orders, and product data [2].
The issue has been addressed in Shopware version 6.2.3. Users are strongly advised to upgrade to this version or later. Additionally, disabling verbose error handling in production environments would prevent the password from being leaked even if a similar error occurs [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
shopware/corePackagist | >= 6.0.0, < 6.2.3 | 6.2.3 |
shopware/platformPackagist | >= 6.0.0, < 6.2.3 | 6.2.3 |
Affected products
3- Shopware/Shopwaredescription
- ghsa-coords2 versions
>= 6.0.0, < 6.2.3+ 1 more
- (no CPE)range: >= 6.0.0, < 6.2.3
- (no CPE)range: >= 6.0.0, < 6.2.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-r4ph-mx67-x58pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13997ghsaADVISORY
- docs.shopware.com/en/shopware-6-en/security-updates/security-update-07-2020ghsax_refsource_CONFIRMWEB
- www.shopware.com/en/changelog/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.