Bulletin ID
Last updated on
Oct 23, 2024
Security update available for Adobe Commerce | APSB24-73
|
|
Date Published |
Priority |
|---|---|---|
|
APSB24-73 |
October 08, 2024 |
2 |
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass and privilege escalation.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce |
2.4.7-p2 and earlier 2.4.6-p7 and earlier 2.4.5-p9 and earlier 2.4.4-p10 and earlier |
All |
| Adobe Commerce B2B |
1.4.2-p2 and earlier 1.3.5-p7 and earlier 1.3.4-p9 and earlier 1.3.3-p10 and earlier |
All |
| Magento Open Source | 2.4.7-p2 and earlier 2.4.6-p7 and earlier 2.4.5-p9 and earlier 2.4.4-p10 and earlier |
All |
Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce |
2.4.7-p3 for 2.4.7-p2 and earlier |
All |
3 |
|
| Adobe Commerce B2B |
1.4.2-p3 for 1.4.2-p2 and earlier 1.3.5-p8 for 1.3.5-p7 and earlier 1.3.4-p10 for 1.3.4-p9 and earlier 1.3.3-p11 for 1.3.3-p10 and earlier |
All | 2 | |
| Adobe Commerce B2B |
Isolated patch for CVE-2024-45115 Compatible with all Adobe Commerce B2B versions between 1.3.3 - 1.4.2 |
All | 2 | |
| Magento Open Source |
2.4.7-p3 for 2.4.7-p2 and earlier |
All |
3 |
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) | Notes |
|---|---|---|---|---|---|---|---|---|
| Improper Authentication (CWE-287) |
Privilege escalation |
Critical |
No | No | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2024-45115 | Only applies to B2B edition |
| Improper Authentication (CWE-287) |
Security feature bypass |
Critical | No | No | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2024-45148 |
Only applies to B2B edition |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Critical | Yes | Yes | 8.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N |
CVE-2024-45116 | |
| Improper Input Validation (CWE-20) |
Arbitrary file system read |
Critical |
Yes | Yes | 7.6 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L |
CVE-2024-45117 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Important | Yes | Yes | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
CVE-2024-45118 | |
| Server-Side Request Forgery (SSRF) (CWE-918) |
Arbitrary file system read |
Important | Yes | Yes | 5.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N |
CVE-2024-45119 | |
| Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) |
Security feature bypass | Moderate | Yes | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
CVE-2024-45120 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Moderate | Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-45121 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Moderate |
Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVE-2024-45122 | |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Critical | Yes | Yes | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-45123 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Important | Yes | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-45124 | |
| Incorrect Authorization (CWE-863) |
Security feature bypass |
Moderate | Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-45125 | |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Critical | Yes | Yes | 4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-45127 | |
| Improper Authorization (CWE-285) |
Security feature bypass |
Important | Yes | Yes | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
CVE-2024-45128 | |
| Improper Access Control (CWE-284) |
Privilege escalation |
Moderate | Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-45129 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Moderate | Yes | Yes | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-45130 | |
| Improper Authorization (CWE-285) |
Security feature bypass |
Important | Yes | Yes | 5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
CVE-2024-45131 | |
| Improper Authorization (CWE-285) |
Privilege escalation |
Important | Yes | Yes | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2024-45132 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Moderate | Yes | Yes | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
CVE-2024-45133 | |
| Information Exposure (CWE-200) |
Security feature bypass |
Moderate | Yes | Yes | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
CVE-2024-45134 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Moderate | Yes | No | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-45135 | |
| Improper Access Control (CWE-284) |
Security feature bypass |
Moderate |
Yes | Yes | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
CVE-2024-45149 |
Note:
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- Akash Hamal (akashhamal0x01) - CVE-2024-45118, CVE-2024-45120, CVE-2024-45121, CVE-2024-45122, CVE-2024-45128, CVE-2024-45129, CVE-2024-45130, CVE-2024-45131, CVE-2024-45132
- Blaklis (blaklis) -CVE-2024-45115, CVE-2024-45123, CVE-2024-45133, CVE-2024-45134, CVE-2024-45135, CVE-2024-45148, CVE-2024-45149
- wohlie - CVE-2024-45117
- Javier Corral (corraldev) - CVE-2024-45116
- truff - CVE-2024-45119
- Prashant Bhattarai (g0ndaar) - CVE-2024-45124
- n1nj4sec - CVE-2024-45125
- Tara Owens (tmoh4kr) - CVE-2024-45127
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.