Bulletin ID
Security update available for Adobe Commerce | APSB23-50
|
Date Published |
Priority |
---|---|---|
APSB23-50 |
October 10, 2023 |
3 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass and application denial-of-service.
Affected Versions
Product | Version | Platform |
---|---|---|
Adobe Commerce |
2.4.7-beta1 and earlier 2.4.6-p2 and earlier 2.4.5-p4 and earlier 2.4.4-p5 and earlier 2.4.3-ext-4 and earlier* 2.4.2-ext-4 and earlier* 2.4.1-ext-4 and earlier* 2.4.0-ext-4 and earlier* 2.3.7-p4-ext-4 and earlier* |
All |
Magento Open Source | 2.4.7-beta1 and earlier 2.4.6-p2 and earlier 2.4.5-p4 and earlier 2.4.4-p5 and earlier |
All |
Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.
* These versions are only applicable to customers participating in the Extended Support Program
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product | Updated Version | Platform | Priority Rating | Installation Instructions |
---|---|---|---|---|
Adobe Commerce |
2.4.7-beta2 for 2.4.7-beta1 and earlier |
All |
3 | 2.4.x release notes |
Magento Open Source |
2.4.7-beta2 for 2.4.7-beta1 and earlier |
All |
3 | |
Note: * These versions are only applicable to customers participating in the Extended Support Program |
Vulnerability Details
Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) |
---|---|---|---|---|---|---|---|
Improper Input Validation (CWE-20) |
Privilege escalation |
Critical | No | No | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-38218 |
Cross-site Scripting (Stored XSS) (CWE-79) |
Privilege escalation |
Critical | Yes | Yes | 8.4 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
CVE-2023-38219 |
Improper Authorization (CWE-285) |
Security feature bypass |
Critical | Yes | No | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-38220 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
Arbitrary code execution |
Critical | Yes | Yes | 8.0 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2023-38221 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
Arbitrary code execution |
Critical | Yes | Yes | 8.0 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2023-38249 |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
Arbitrary code execution |
Critical | Yes | Yes | 8.0 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2023-38250 |
Information Exposure (CWE-200) |
Arbitrary code execution |
Critical |
Yes | Yes | 7.6 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L |
CVE-2023-26367 |
Uncontrolled Resource Consumption (CWE-400) |
Application denial-of-service |
Important | No | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
CVE-2023-38251 |
Server-Side Request Forgery (SSRF) (CWE-918) |
Arbitrary file system read |
Important |
Yes | Yes | 6.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
CVE-2023-26366 |
Updates to Dependencies
CVE | Dependency |
Vulnerability Impact |
Affected Versions |
CVE-2021-41182 |
jQuery |
Arbitrary Code Execution |
Adobe Commerce 2.4.6-p2, 2.4.5-p4, 2.4.4-p5, 2.4.7-beta1 and earlier |
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- wohlie - CVE-2023-38220, CVE-2023-38221, CVE-2023-38249, CVE-2023-38250, CVE-2023-38251, CVE-2023-26367
- Blaklis - CVE-2023-38219
- fqdn - CVE-2023-38218
- Sebastien Cantos (truff) - CVE-2023-26366
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Revisions
October 13th, 2023: Removed CVE-2023-26368 as it is a 3rd party jQuery dependency.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.