CVE-2022-24745 is a session fixation vulnerability identified in the Shopware platform, an open commerce solution built on the Symfony PHP framework and Vue.js. The vulnerability affects versions prior to 6.4.8.2 and arises when HTTP caching is enabled without the use of Varnish caching. Specifically, guest sessions are improperly shared between different customers due to the way HTTP cache handles session identifiers. This leads to session fixation, where an attacker can fixate a session ID and cause multiple users to share the same session context. The consequence is inconsistent and potentially insecure user experiences, such as unauthorized access to another user's shopping cart or session data. The issue is rooted in CWE-384 (Session Fixation), which occurs when an application does not properly invalidate or regenerate session identifiers upon authentication or session initiation. The vulnerability does not require authentication or user interaction to be exploited, but it depends on the presence of HTTP caching enabled in the Shopware setup. Notably, setups using Varnish caching are not affected. The vendor has resolved this issue in Shopware version 6.4.8.2, and users unable to upgrade are advised to disable HTTP caching to mitigate the risk. There are no known exploits in the wild reported to date.

For European organizations using Shopware versions prior to 6.4.8.2 with HTTP caching enabled (excluding those using Varnish), this vulnerability can lead to session fixation attacks that compromise the confidentiality and integrity of user sessions. Attackers could potentially hijack guest sessions, leading to unauthorized access to shopping carts, personal data, or other session-specific information. This undermines customer trust and could result in data privacy violations under GDPR regulations. Although the vulnerability does not directly impact availability, the reputational damage and potential regulatory penalties could be significant. E-commerce platforms are critical for business operations, and any disruption or data breach could have financial and operational consequences. The impact is particularly relevant for organizations with high volumes of guest users and those relying on HTTP caching for performance optimization. Since no authentication or user interaction is required, the ease of exploitation is moderate, contingent on the caching configuration. The scope is limited to affected Shopware versions and specific caching setups, but given Shopware's popularity in European e-commerce, the threat is non-negligible.

1. Immediate upgrade to Shopware version 6.4.8.2 or later to apply the official patch resolving the session fixation issue. 2. For organizations unable to upgrade promptly, disable HTTP caching in the Shopware configuration to prevent session sharing between guests. 3. Review and audit caching infrastructure to ensure that Varnish caching is implemented where possible, as it is not affected by this vulnerability. 4. Implement additional session management best practices such as regenerating session IDs upon user login or significant session state changes. 5. Monitor web server and application logs for unusual session behaviors or repeated session ID usage across different IP addresses or user agents. 6. Conduct penetration testing focused on session management and caching configurations to identify residual risks. 7. Educate development and operations teams about secure session handling and caching implications to prevent similar issues in future deployments.