Shopware Race Condition Vulnerability in Voucher System Allowing Bypass of Usage Limits

A race condition vulnerability has been identified in Shopware's voucher system in versions 6.6.10.4, 6.6.x, and 6.7.x. This vulnerability allows attackers to bypass intended voucher restrictions and exceed usage limitations. The issue arises because the validation of voucher codes is not an atomic operation, enabling vouchers to be used in multiple simultaneous checkouts. Exploitation could lead to one-time vouchers being used beyond their intended limit.

Impact

Successful exploitation allows attackers to misuse one-time vouchers by applying them to multiple checkout processes, effectively exceeding the vouchers' predefined usage limits.

Reproduction

To reproduce this vulnerability, an attacker must first obtain a valid restricted voucher, such as a one-time use voucher. The attacker can then apply this voucher to a shopping cart and initiate the checkout process. By intercepting the final checkout request and sending it through a single-packet attack, the attacker can apply the voucher to all intercepted requests, bypassing the one-time use restriction.