Bulletin ID
Security update available for Adobe Commerce | APSB22-13
|
Date Published |
Priority |
---|---|---|
APSB22-13 |
April 12, 2022 |
3 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution.
Affected Versions
Product | Version | Platform |
---|---|---|
Adobe Commerce | 2.4.3-p1 and earlier versions |
All |
2.3.7-p2 and earlier versions |
All |
|
Magento Open Source |
2.4.3-p1 and earlier versions |
All |
2.3.7-p2 and earlier versions | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product | Updated Version | Platform | Priority Rating | Installation Instructions |
---|---|---|---|---|
Adobe Commerce |
2.3.7-p3, 2.4.3-p2, 2.4.4 |
All |
1 |
|
Magento Open Source |
2.3.7-p3, 2.4.3-p2, 2.4.4 |
All |
1 |
Vulnerability Details
Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
Magento Bug ID | CVE number(s) |
---|---|---|---|---|---|---|---|---|
Improper Input Validation (CWE-20) |
Arbitrary code execution |
Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
PRODSECBUG-3137 |
CVE-2022-24093 |
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
- Blaklis and Eboda - CVE-2022-24093
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.