Bulletin ID
Last updated on
Nov 12, 2024
Security update available for Adobe Commerce | APSB24-90
|
|
Date Published |
Priority |
|---|---|---|
|
APSB24-90 |
November 12, 2024 |
3 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source features powered by Commerce Services and deployed as SaaS (software as a service). This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce and Magento Open Source powered by Commerce Services and deployed as SaaS (software as a service). (Commerce Services Connector) | 3.2.5 and earlier | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce and Magento Open Source powered by Commerce Services and deployed as SaaS (software as a service). (Commerce Services Connector) | 3.2.6 |
All |
3 |
|
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) | Notes |
|---|---|---|---|---|---|---|---|---|
| Server-Side Request Forgery (SSRF) (CWE-918) |
Arbitrary code execution |
Critical |
Yes | Yes | 7.7 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
CVE-2024-49521 |
Note:
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- Akash Hamal (akashhamal0x01) - CVE-2024-49521
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.