Bulletin ID
Last updated on
1 November 2021
Security updates available for Adobe Commerce | APSB21-86
|
|
Date Published |
Priority |
|---|---|---|
|
APSB21-86 |
October 12, 2021 |
2 |
Summary
Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated important. Successful exploitation could lead to security feature bypass.
Affected Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce |
2.4.2-p2 and earlier versions |
All |
| 2.4.3 and earlier versions |
All | |
| 2.3.7-p1 and earlier versions |
All |
|
| Magento Open Source |
2.4.2-p2 and earlier versions |
All |
2.4.3 and earlier versions |
All | |
| 2.3.7-p1 and earlier versions | All |
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Release Notes |
|---|---|---|---|---|
| Adobe Commerce |
2.4.3-p1 |
All |
2 |
|
| 2.3.7-p2 |
All |
2 |
||
| Magento Open Source |
2.4.3-p1 |
All |
2 |
|
| 2.3.7-p2 |
All | 2 |
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | Pre-authentication? | Admin privileges required? |
CVSS base score |
CVSS vector |
Magento Bug ID | CVE numbers |
|---|---|---|---|---|---|---|---|---|
Cross-Site Request Forgery (CSRF) (CWE-352) |
Security feature bypass |
Important |
yes |
no |
6.5 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
PRODSECBUG-3029 |
CVE-2021-39864
|
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.