Adobe Security Bulletin

Search

Security Updates Available for Magento | APSB20-22

Bulletin ID

Date Published

Priority

ASPB20-22

April 28, 2020      

2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings).  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product

Version

Platform

Magento Commerce 

2.3.4 and earlier versions    

All

Magento Open Source   

2.3.4 and earlier versions    

All

Magento Commerce 

2.2.11 and earlier versions (see note)

All

Magento Open Source  

2.2.11 and earlier versions (see note)

All

Magento Enterprise Edition    

1.14.4.4 and earlier versions    

All

Magento Community Edition  

1.9.4.4 and earlier versions

All
Note:

Magento 2.2x reached end of support on December 31, 2019.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Version

Platform

Priority Rating

Availability

Magento Commerce    

2.3.4-p2

All

2

2.3.4-p2 Commerce

Magento Open Source    

2.3.4-p2

All

2

2.3.4-p2 Open Source

Magento Commerce    

2.3.5-p1

All

2

2.3.5 Commerce

Magento Open Source    

2.3.5-p1

All

2

2.3.5 Open Source

Magento Enterprise Edition    

1.14.4.5

All

2

1.14.4.5

Magento Community Edition    

1.9.4.5

All

2

1.9.4.5
Note:

Magento Commerce 2.2.12 is available exclusively to extended support Commerce customers.

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

 Magento Bug ID CVE numbers
Command injection



 Arbitrary code execution



 Critical



 No Yes PRODSECBUG-2707



 CVE-2020-9576
Stored cross-site scripting    



 Sensitive information disclosure    



 Important Yes



 No PRODSECBUG-2671



 CVE-2020-9577 
Command injection



 Arbitrary code execution



 Critical 



 No Yes PRODSECBUG-2695



 CVE-2020-9578  
Security mitigation bypass



 Arbitrary code execution



 Critical



 No



 Yes



 PRODSECBUG-2696



 CVE-2020-9579
Security mitigation bypass



 Arbitrary code execution Critical



 No



 Yes



 PRODSECBUG-2697



 CVE-2020-9580
Stored cross-site scripting



 Sensitive information disclosure



 Important



 No



 Yes



 PRODSECBUG-2700



 CVE-2020-9581
Command injection



 Arbitrary code execution



 Critical



 No



 Yes



 PRODSECBUG-2708



 CVE-2020-9582
Command injection



 Arbitrary code execution



 Critical



 No



 Yes



 PRODSECBUG-2710



 CVE-2020-9583
Stored cross-site scripting



 Sensitive information disclosure



 Important



 Yes



 No



 PRODSECBUG-2715



 CVE-2020-9584
Defense-in-depth security mitigation



 Arbitrary code execution



 Moderate



 No



 Yes



 PRODSECBUG-2541



 CVE-2020-9585
Defense-in-depth security mitigation



 Unauthorized access to admin panel



 Moderate



 Yes Yes



 MPERF-10898



 CVE-2020-9591
Authorization bypass



 Potentially unauthorized product discounts



 Moderate



 Yes



 No



 PRODSECBUG-2518



 CVE-2020-9587
Observable Timing Discrepancy Signature verification bypass



 Important



 No



 Yes



 PRODSECBUG-2677



 CVE-2020-9588
Business logic error Privilege escalation Important No Yes PRODSECBUG-2722 CVE-2020-9630
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2703 CVE-2020-9631
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2704 CVE-2020-9632
Note:

1.     CVE-2020-9585 is mitigated in default installs

2.     CVE-2020-9591 exclusively impacts Magento 1

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:  

  • Blaklis (CVE-2020-9576, CVE-2020-9579, CVE-2020-9581, CVE-2020-9582, CVE-2020-9583, CVE-2020-9584)
  • Flatmoon (CVE-2020-9577)
  • Y0natan (CVE-2020-9578)
  • Edgar Boda-Majer (CVE-2020-9580)
  • Qubitz (CVE-2020-9585)
  • Magnusg (CVE-2020-9587)
  • Wasin Sae-ngow (CVE-2020-9588)
  • Max Chadwick (CVE-2020-9630)

 

Revisions

May 4, 2020: Removed acknowledgement for CVE-2020-9586.

May 7, 2020: Added CVE-2020-9630, which was inadvertently omitted from original version. 

May 12, 2020: Added CVE-2020-9631 and CVE-2020-9632, which were inadvertently omitted from original version. 

 Adobe

Get help faster and easier

New user?

Quick links

View all your plans Manage your plans
View quick links
Hide quick links