CVE-2022-24747: 
PHP vulnerability analysis and mitigation

Shopware, an open commerce platform based on the Symfony PHP Framework and Vue javascript framework, was found to have a vulnerability (CVE-2022-24747) where sensitive HTTP headers were not properly set as non-cacheable. The vulnerability was discovered in versions prior to 6.4.8.2 and was disclosed on March 9, 2022 (NVD, GitHub Advisory).

The vulnerability stems from improper configuration of HTTP cache headers, where private HTTP headers were incorrectly marked as public. This issue affects the HTTP caching mechanism when there is an HTTP cache between the server and client. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

If exploited, this vulnerability could lead to the exposure of sensitive HTTP headers through HTTP caches. When an HTTP cache is present between the server and client, sensitive information contained in these headers might be exposed to unauthorized parties (Shopware Docs).

The vulnerability has been patched in Shopware version 6.4.8.2. Users are strongly recommended to upgrade to this version. For older versions (6.1, 6.2, and 6.3), security measures are available via a plugin. The fix involves proper configuration of cache control headers to ensure sensitive headers are marked as private (GitHub Commit).