CVE-2023-34098: 
PHP vulnerability analysis and mitigation

Shopware, an open source e-commerce software, contains a vulnerability due to an incorrect configuration in the .htaccess file that allows the configuration file of the Javascript (themes/package-lock.json) to be read in production environments. This vulnerability affects versions from 5.6.0 to 5.7.17 and was disclosed on June 27, 2023. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) (NVD).

The vulnerability stems from a misconfiguration in the .htaccess file that fails to properly restrict access to sensitive configuration files. Specifically, the themes/package-lock.json file becomes accessible in production environments. This file contains information about the specific Shopware version deployed on the system (Shopware Docs).

The exposure of the package-lock.json file allows attackers to determine the specific Shopware version in a deployment. This information disclosure could be leveraged for further attacks by helping attackers identify version-specific vulnerabilities (NVD).

The vulnerability has been fixed in Shopware version 5.7.18. Users are advised to update to this version, which can be obtained via the Auto-Updater or directly through the download overview. For users unable to update immediately, there are no known workarounds for this vulnerability (Shopware Docs).