Adobe Security Bulletin

Security update available for Adobe Commerce | APSB23-50

Bulletin ID

Date Published

Priority

APSB23-50

October 10, 2023

3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass and application denial-of-service.

Affected Versions

Product Version Platform
 Adobe Commerce
2.4.7-beta1 and earlier
2.4.6-p2 and earlier
2.4.5-p4 and earlier
2.4.4-p5 and earlier
2.4.3-ext-4 and earlier*
2.4.2-ext-4 and earlier*
2.4.1-ext-4 and earlier*
2.4.0-ext-4 and earlier*
2.3.7-p4-ext-4 and earlier*
All
Magento Open Source 2.4.7-beta1 and earlier
2.4.6-p2 and earlier
2.4.5-p4 and earlier
2.4.4-p5 and earlier
All

Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.
* These versions are only applicable to customers participating in the
Extended Support Program

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

 

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce

2.4.7-beta2 for 2.4.7-beta1 and earlier
2.4.6-p3 for 2.4.6-p2 and earlier
2.4.5-p5 for 2.4.5-p4 and earlier
2.4.4-p6 for 2.4.4-p5 and earlier
2.4.3-ext-5 for 2.4.3-ext-4 and earlier*
2.4.2-ext-5 for 2.4.2-ext-4 and earlier*
2.4.1-ext-5 for 2.4.1-ext-4 and earlier*
2.4.0-ext-5 for 2.4.0-ext-4 and earlier*
2.3.7-p4-ext-5 for 2.3.7-p4-ext-4 and earlier*

All
3 2.4.x release notes
Magento Open Source 

2.4.7-beta2 for 2.4.7-beta1 and earlier
2.4.6-p3 for 2.4.6-p2 and earlier
2.4.5-p5 for 2.4.5-p4 and earlier
2.4.4-p6 for 2.4.4-p5 and earlier

All
3
Note: * These versions are only applicable to customers participating in the Extended Support Program

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s)
Improper Input Validation (CWE-20)
Privilege escalation
Critical No No 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-38218
Cross-site Scripting (Stored XSS) (CWE-79)
Privilege escalation
Critical Yes Yes 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2023-38219
Improper Authorization (CWE-285)
Security feature bypass
Critical Yes No 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2023-38220
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Arbitrary code execution
Critical Yes Yes 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2023-38221
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Arbitrary code execution
Critical Yes Yes 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2023-38249
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Arbitrary code execution
Critical Yes Yes 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2023-38250
Information Exposure (CWE-200)
Arbitrary code execution
Critical
Yes Yes 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
CVE-2023-26367
Uncontrolled Resource Consumption (CWE-400)
Application denial-of-service
Important No No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2023-38251
Server-Side Request Forgery (SSRF) (CWE-918)
Arbitrary file system read
Important
Yes Yes 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVE-2023-26366

Updates to Dependencies

CVE Dependency
Vulnerability Impact
Affected Versions
CVE-2021-41182
jQuery
Arbitrary Code Execution

Adobe Commerce 2.4.6-p2, 2.4.5-p4, 2.4.4-p5, 2.4.7-beta1 and earlier

Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.


Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

  • wohlie - CVE-2023-38220, CVE-2023-38221, CVE-2023-38249, CVE-2023-38250, CVE-2023-38251, CVE-2023-26367
  • Blaklis - CVE-2023-38219
  • fqdn - CVE-2023-38218
  • Sebastien Cantos (truff) - CVE-2023-26366

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

Revisions

October 13th, 2023: Removed CVE-2023-26368 as it is a 3rd party jQuery dependency. 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online