Adobe Security Bulletin

Security Updates Available for Adobe Commerce | APSB21-64

Bulletin ID

Date Published

Priority

APSB21-64

August 11, 2021      

2

Summary

Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.       

Affected Versions

Product Version Platform
Adobe Commerce
2.4.2 and earlier versions  
All
2.4.2-p1 and earlier versions  
All
2.3.7 and earlier versions 
All
Magento Open Source 

2.4.2-p1 and earlier versions
All
2.3.7 and earlier versions   
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Release Notes
Adobe Commerce
2.4.3  
All
2

2.4.x release notes

2.3.x release notes

2.4.2-p2
All
2
2.3.7-p1
All
2
Magento Open Source 
2.4.3  
All
2
2.4.2-p2
All 2
2.3.7-p1 
All
2

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

CVSS base score
CVSS vector
Magento Bug ID CVE numbers
Business Logic Errors (CWE-840)

Security feature bypass

 Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2934

CVE-2021-36012

Cross-site Scripting (Stored XSS) (CWE-79)

Arbitrary code execution

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

PRODSECBUG-2963

PRODSECBUG-2964

CVE-2021-36026

CVE-2021-36027

 

Improper Access Control (CWE-284)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2977

CVE-2021-36036

Improper Authorization (CWE-285)

Security feature bypass

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2968

CVE-2021-36029

Improper Authorization (CWE-285)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2980

CVE-2021-36037

Improper Input Validation (CWE-20)

Application denial-of-service

Critical

No

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

PRODSECBUG-3004

CVE-2021-36044

Improper Input Validation (CWE-20)

Privilege escalation

Critical

yes

no

8.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

PRODSECBUG-2971

CVE-2021-36032

Improper Input Validation (CWE-20)

Security feature bypass

Critical

no

no

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

 PRODSECBUG-2969

CVE-2021-36030

Improper Input Validation (CWE-20)

Security feature bypass

Important

no

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2982

CVE-2021-36038

Improper Input Validation (CWE-20)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2959

 PRODSECBUG-2960

 PRODSECBUG-2962

PRODSECBUG-2975

PRODSECBUG-2976

PRODSECBUG-2987

PRODSECBUG-2988

PRODSECBUG-2992

CVE-2021-36021

CVE-2021-36024

CVE-2021-36025

CVE-2021-36034

CVE-2021-36035

CVE-2021-36040

CVE-2021-36041

CVE-2021-36042

Path Traversal

(CWE-22)

Arbitrary code execution

Critical

yes

yes

7.2

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-2970

CVE-2021-36031

OS Command Injection (CWE-78)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2958

PRODSECBUG-2960

CVE-2021-36022

CVE-2021-36023

Incorrect Authorization (CWE-863)

Arbitrary file system read

Important

yes

no

6.5

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

PRODSECBUG-2984

CVE-2021-36039

Server-Side Request Forgery (SSRF)

(CWE-918)

Arbitrary code execution

Critical

yes

yes

8

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

PRODSECBUG-2996

CVE-2021-36043

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

no

no

8.2

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

PRODSECBUG-2937

CVE-2021-36020

XML Injection

(aka Blind XPath Injection) (CWE-91)

Arbitrary code execution

Critical

yes

yes

9.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 PRODSECBUG-2965

PRODSECBUG-2972

CVE-2021-36028

CVE-2021-36033

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
  • Igorsdv (CVE-2021-36012)
  • Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
  • Dftrace (CVE-2021-36044)
  • Floorz (CVE-2021-36030)
  • Eboda (CVE-2021-36022)
  • Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)

 

Revisions

August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce. 

 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online