Magento Critical Vulnerabilities Announced by Adobe


Adobe announced it has released a patch for Magento 2 in order to fix multiple critical vulnerabilities. Some of the vulnerabilities could allow attackers to take over administrator sessions as well as grant access to customer information.

The vulnerabilities affecting the popular Magento ecommerce platform affect both the open source and commercial versions.

According to the Magento Open Source release notes:

Thirty-three security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities

No confirmed attacks related to these issues have occurred to date.

However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions.”

Advertisement

Continue Reading Below

Vulnerabilities Patched in Magento Ecommerce Platform

Adobe announced the release of Magento 2.4.3 which contains a total of 33 security enhancements.

These security issues affect both the commercial and open source versions of Magento.

Commercial Magento Versions that are Affected:

  • 2.4.2 and earlier versions
  • 2.4.2-p1 and earlier versions
  • 2.3.7 and earlier versions

Open Source Magento Versions that are Affected:

  • 2.4.2-p1 and earlier versions
  • 2.3.7 and earlier versions

Advertisement

Continue Reading Below

Critical Magento Security Issues

Several of the security issues are rated critical.

Of particular note is that of the sixteen security vulnerabilities that were announced by Adobe, ten of them do not require any admin or user credentials in order to exploit Magento.

The remaining six vulnerabilities require that an attacker already have administrator level privilege.

Eleven of the vulnerabilities are rated as critical and the rest are rated as important.

Eleven Critical Vulnerabilities in Magento

While all vulnerabilities should not be disregarded, the ones rated as critical are relatively especially dangerous.

There are four kinds of vulnerabilities:

  1. Arbitrary code execution (7 vulnerabilities)
  2. Security feature bypass (2)
  3. Application denial-of-service (1)
  4. Privilege escalation (1)

Magento Arbitrary Code Execution

The Arbitrary Code Execution exploits affecting Magento consist of six kinds of attacks.

  • Improper Access Control
  • Improper Input Validation
  • Path Traversal
  • OS Command Injection
  • Server-Side Request Forgery (SSRF)
  • XML Injection (aka Blind XPath Injection)

Examples of Magento Security Feature Bypass Exploits

There are two kinds of Security Feature Bypass issues affecting Magento that are patched in Magento version 2.4.3.

  • Improper Input Validation
    This kind of issue relates to a failure to properly validate an input for dangerous for the software to process . This allows an attacker to craft an unexpected input that can lead to an arbitrary code execution.
  • Improper Authorization
    An Improper Authorization exploit is when the software fails to properly check if the user has the privilege levels person making the inputs has the proper credentials.

Advertisement

Continue Reading Below

A common feature of the above exploits is that they allow an attacker to gain access to sensitive locations in the software, allowing an attacker to execute arbitrary commands.

According to Adobe’s summary:

“Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.”

Magento Update Version 2.4.3

It’s safe to say that updating to the latest version of Magento is recommended to be considered. Adobe’s release notes state that there are some backward compatibility issues.

Some of the changes are released independently and can be updated in that way.

Advertisement

Continue Reading Below

Please read the full Adobe release notes in the security bulletin.

Citations

Adobe Security Bulletin

Magento Open Source 2.4.3 Release Notes

Adobe Commerce 2.4.3 Release Notes

Minor Backward Incompatibility Issues

Major Backward Compatibility Issues





Source link

0/5 (0 Reviews)
0/5 (0 Reviews)