Adobe Security Bulletin

Security update available for Adobe Commerce | APSB24-61

Bulletin ID

Date Published

Priority

APSB24-61

August 13, 2024

3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves criticalimportant and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass and privilege escalation.

Affected Versions

Product Version Platform
 Adobe Commerce
2.4.7-p1 and earlier
2.4.6-p6 and earlier
2.4.5-p8 and earlier
2.4.4-p9 and earlier
All
Magento Open Source 2.4.7-p1 and earlier
2.4.6-p6 and earlier
2.4.5-p8 and earlier
2.4.4-p9 and earlier
All

Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce

2.4.7-p2 for 2.4.7-p1 and earlier
2.4.6-p7 for 2.4.6-p6 and earlier
2.4.5-p9 for 2.4.5-p8 and earlier
2.4.4-p10 for 2.4.4-p9 and earlier

All
3 2.4.x release notes
Magento Open Source 

2.4.7-p2 for 2.4.7-p1 and earlier
2.4.6-p7 for 2.4.6-p6 and earlier
2.4.5-p9 for 2.4.5-p8 and earlier
2.4.4-p10 for 2.4.4-p9 and earlier

All
3
Adobe Commerce and Magento Open Source 

Isolated patch for CVE-2024-39397

 

Compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7

All 3

Release Notes for Isolated Patch on CVE-2024-39397

 

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s) Notes
Unrestricted Upload of File with Dangerous Type (CWE-434)
Arbitrary code execution
Critical
No No 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2024-39397 Only merchants using the Apache web server are affected
Improper Restriction of Excessive Authentication Attempts (CWE-307)
Security feature bypass
Critical
Yes Yes 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVE-2024-39398  
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Arbitrary file system read
Critical
Yes Yes 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CVE-2024-39399  
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical
Yes Yes 8.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
CVE-2024-39400  
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Arbitrary code execution
Critical
Yes Yes 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2024-39401  
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Arbitrary code execution
Critical
Yes Yes 8.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H CVE-2024-39402  
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical
Yes Yes 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
CVE-2024-39403  
Information Exposure (CWE-200)
Security feature bypass
Important Yes Yes 6.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CVE-2024-39406  
Improper Access Control (CWE-284)
Privilege escalation
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-39404  
Improper Access Control (CWE-284)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-39405  
Incorrect Authorization (CWE-863)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-39407  
Cross-Site Request Forgery (CSRF) (CWE-352)
Security feature bypass
Moderate Yes No 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-39408  
Cross-Site Request Forgery (CSRF) (CWE-352)
Security feature bypass
Moderate Yes No 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-39409  
Cross-Site Request Forgery (CSRF) (CWE-352)
Security feature bypass
Moderate Yes No 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-39410  
Improper Access Control (CWE-284)
Privilege escalation
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2024-39411  
Improper Authorization (CWE-285)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-39412  
Improper Authorization (CWE-285)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2024-39413  
Improper Access Control (CWE-284)
Privilege escalation
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2024-39414  
Improper Authorization (CWE-285)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2024-39415  
Improper Authorization (CWE-285)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2024-39416  
Improper Authorization (CWE-285)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2024-39417  
Improper Authorization (CWE-285)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVE-2024-39418  
Improper Access Control (CWE-284)
Privilege escalation
Moderate Yes Yes 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-39419  
Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.


Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

  • Akash Hamal (akashhamal0x01) - CVE-2024-39404, CVE-2024-39405, CVE-2024-39407, CVE-2024-39411, CVE-2024-39412, CVE-2024-39413, CVE-2024-39414, CVE-2024-39415, CVE-2024-39416, CVE-2024-39417, CVE-2024-39418, CVE-2024-39419
  • wohlie - CVE-2024-39401, CVE-2024-39402, CVE-2024-39403
  • Javier Corral (corraldev) - CVE-2024-39398, CVE-2024-39400
  • Alexandrio (alexandrio) - CVE-2024-39408, CVE-2024-39409
  • Blaklis (blaklis) - CVE-2024-39406, CVE-2024-39410
  • T.H. Lassche (thlassche) - CVE-2024-39397
  • Icare (icare) - CVE-2024-39399

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Get help faster and easier

New user?