VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 27, 2023· Updated Nov 7, 2024

Dependency configuration exposed in Shopware

CVE-2023-34098

Description

Shopware is an open source e-commerce software. Due to an incorrect configuration in the .htaccess file, the configuration file of the Javascript could be read in production environments (themes/package-lock.json). With this information, the specific Shopware version in a deployment might be determined by an attacker, which could be used for further attacks. Users are advised to update to version 5.7.18. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
shopware/shopwarePackagist
>= 5.6.0, < 5.7.185.7.18

Affected products

1

Patches

1
b3518c8d9562

SW-27070 - improve htaccess

https://github.com/shopware5/shopwarePascal ThesingMay 2, 2023via ghsa
commit
1 file changed · +1 1
  • .htaccess.dist+1 1 modified
    @@ -39,7 +39,7 @@ RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
     RedirectMatch 404 /(web\/cache\/(config_\d+\.json|all.less))$
 
     # Restrict access to theme configurations
-    RedirectMatch 404 /themes/(.*)(.*\.lock|package\.json|\.gitignore|Gruntfile\.js|all\.less|node_modules\/.*)$
+    RedirectMatch 404 /themes/(.*)(.(lock|package)\.json|\.gitignore|Gruntfile\.js|all\.less|node_modules\/.*)$
 </IfModule>
 
 # Staging environment

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.