Adobe Security Bulletin

Security Updates Available for Magento | APSB20-22

Bulletin ID

Date Published

Priority

ASPB20-22

April 28, 2020      

2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings).  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product

Version

Platform

Magento Commerce 

2.3.4 and earlier versions    

All

Magento Open Source   

2.3.4 and earlier versions    

All

Magento Commerce 

2.2.11 and earlier versions (see note)

All

Magento Open Source  

2.2.11 and earlier versions (see note)

All

Magento Enterprise Edition    

1.14.4.4 and earlier versions    

All

Magento Community Edition  

1.9.4.4 and earlier versions

All

Note:

Magento 2.2x reached end of support on December 31, 2019.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Version

Platform

Priority Rating

Availability

Magento Commerce    

2.3.4-p2

All

2

Magento Open Source    

2.3.4-p2

All

2

Magento Commerce    

2.3.5-p1

All

2

Magento Open Source    

2.3.5-p1

All

2

Magento Enterprise Edition    

1.14.4.5

All

2

Magento Community Edition    

1.9.4.5

All

2

Note:

Magento Commerce 2.2.12 is available exclusively to extended support Commerce customers.

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

Magento Bug ID CVE numbers
Command injection



Arbitrary code execution



Critical



No Yes PRODSECBUG-2707



CVE-2020-9576



Stored cross-site scripting    



Sensitive information disclosure    



Important Yes



No PRODSECBUG-2671



CVE-2020-9577 



Command injection



Arbitrary code execution



Critical 



No Yes PRODSECBUG-2695



CVE-2020-9578  



Security mitigation bypass



Arbitrary code execution



Critical



No



Yes



PRODSECBUG-2696



CVE-2020-9579
Security mitigation bypass



Arbitrary code execution Critical



No



Yes



PRODSECBUG-2697



CVE-2020-9580
Stored cross-site scripting



Sensitive information disclosure



Important



No



Yes



PRODSECBUG-2700



CVE-2020-9581
Command injection



Arbitrary code execution



Critical



No



Yes



PRODSECBUG-2708



CVE-2020-9582
Command injection



Arbitrary code execution



Critical



No



Yes



PRODSECBUG-2710



CVE-2020-9583
Stored cross-site scripting



Sensitive information disclosure



Important



Yes



No



PRODSECBUG-2715



CVE-2020-9584
Defense-in-depth security mitigation



Arbitrary code execution



Moderate



No



Yes



PRODSECBUG-2541



CVE-2020-9585
Defense-in-depth security mitigation



Unauthorized access to admin panel



Moderate



Yes Yes



MPERF-10898



CVE-2020-9591



Authorization bypass



Potentially unauthorized product discounts



Moderate



Yes



No



PRODSECBUG-2518



CVE-2020-9587



Observable Timing Discrepancy Signature verification bypass



Important



No



Yes



PRODSECBUG-2677



CVE-2020-9588
Business logic error Privilege escalation Important No Yes PRODSECBUG-2722 CVE-2020-9630
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2703 CVE-2020-9631
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2704 CVE-2020-9632
Note:

1.     CVE-2020-9585 is mitigated in default installs

2.     CVE-2020-9591 exclusively impacts Magento 1

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:  

  • Blaklis (CVE-2020-9576, CVE-2020-9579, CVE-2020-9581, CVE-2020-9582, CVE-2020-9583, CVE-2020-9584)
  • Flatmoon (CVE-2020-9577)
  • Y0natan (CVE-2020-9578)
  • Edgar Boda-Majer (CVE-2020-9580)
  • Qubitz (CVE-2020-9585)
  • Magnusg (CVE-2020-9587)
  • Wasin Sae-ngow (CVE-2020-9588)
  • Max Chadwick (CVE-2020-9630)

 

Revisions

May 4, 2020: Removed acknowledgement for CVE-2020-9586.

May 7, 2020: Added CVE-2020-9630, which was inadvertently omitted from original version. 

May 12, 2020: Added CVE-2020-9631 and CVE-2020-9632, which were inadvertently omitted from original version. 

 Adobe

Get help faster and easier

New user?