Bulletin ID
Security Updates Available for Magento | APSB20-22
|
Date Published |
Priority |
---|---|---|
ASPB20-22 |
April 28, 2020 |
2 |
Summary
Magento has released updates for Magento Commerce and Open Source editions. These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings). Successful exploitation could lead to arbitrary code execution.
Affected Versions
Product |
Version |
Platform |
---|---|---|
Magento Commerce |
2.3.4 and earlier versions |
All |
Magento Open Source |
2.3.4 and earlier versions |
All |
Magento Commerce |
2.2.11 and earlier versions (see note) |
All |
Magento Open Source |
2.2.11 and earlier versions (see note) |
All |
Magento Enterprise Edition |
1.14.4.4 and earlier versions |
All |
Magento Community Edition |
1.9.4.4 and earlier versions |
All |
Magento 2.2x reached end of support on December 31, 2019.
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product |
Version |
Platform |
Priority Rating |
Availability |
---|---|---|---|---|
Magento Commerce |
2.3.4-p2 |
All |
2 |
|
Magento Open Source |
2.3.4-p2 |
All |
2 |
|
Magento Commerce |
2.3.5-p1 |
All |
2 |
|
Magento Open Source |
2.3.5-p1 |
All |
2 |
|
Magento Enterprise Edition |
1.14.4.5 |
All |
2 |
|
Magento Community Edition |
1.9.4.5 |
All |
2 |
Magento Commerce 2.2.12 is available exclusively to extended support Commerce customers.
Vulnerability details
1. CVE-2020-9585 is mitigated in default installs
2. CVE-2020-9591 exclusively impacts Magento 1
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Acknowledgments
Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:
- Blaklis (CVE-2020-9576, CVE-2020-9579, CVE-2020-9581, CVE-2020-9582, CVE-2020-9583, CVE-2020-9584)
- Flatmoon (CVE-2020-9577)
- Y0natan (CVE-2020-9578)
- Edgar Boda-Majer (CVE-2020-9580)
- Qubitz (CVE-2020-9585)
- Magnusg (CVE-2020-9587)
- Wasin Sae-ngow (CVE-2020-9588)
- Max Chadwick (CVE-2020-9630)
Revisions
May 4, 2020: Removed acknowledgement for CVE-2020-9586.
May 7, 2020: Added CVE-2020-9630, which was inadvertently omitted from original version.
May 12, 2020: Added CVE-2020-9631 and CVE-2020-9632, which were inadvertently omitted from original version.