Adobe Security Bulletin

Security update available for Adobe Commerce | APSB24-61

Bulletin ID	Date Published	Priority
APSB24-61	August 13, 2024	3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass and privilege escalation.

Affected Versions

Product	Version	Platform
Adobe Commerce	2.4.7-p1 and earlier 2.4.6-p6 and earlier 2.4.5-p8 and earlier 2.4.4-p9 and earlier	All
Magento Open Source	2.4.7-p1 and earlier 2.4.6-p6 and earlier 2.4.5-p8 and earlier 2.4.4-p9 and earlier	All

Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product	Updated Version	Platform	Priority Rating	Installation Instructions
Adobe Commerce	2.4.7-p2 for 2.4.7-p1 and earlier 2.4.6-p7 for 2.4.6-p6 and earlier 2.4.5-p9 for 2.4.5-p8 and earlier 2.4.4-p10 for 2.4.4-p9 and earlier	All	3	2.4.x release notes
Magento Open Source	2.4.7-p2 for 2.4.7-p1 and earlier 2.4.6-p7 for 2.4.6-p6 and earlier 2.4.5-p9 for 2.4.5-p8 and earlier 2.4.4-p10 for 2.4.4-p9 and earlier	All	3
Adobe Commerce and Magento Open Source	Isolated patch for CVE-2024-39397 Compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7	All	3	Release Notes for Isolated Patch on CVE-2024-39397

Product

Updated Version

Platform

Priority Rating

Installation Instructions

Adobe Commerce

2.4.7-p2 for 2.4.7-p1 and earlier
2.4.6-p7 for 2.4.6-p6 and earlier
2.4.5-p9 for 2.4.5-p8 and earlier
2.4.4-p10 for 2.4.4-p9 and earlier

All

3

2.4.x release notes

Magento Open Source

2.4.7-p2 for 2.4.7-p1 and earlier
2.4.6-p7 for 2.4.6-p6 and earlier
2.4.5-p9 for 2.4.5-p8 and earlier
2.4.4-p10 for 2.4.4-p9 and earlier

All

3

Adobe Commerce and Magento Open Source

Isolated patch for CVE-2024-39397

Compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7

All

3

Release Notes for Isolated Patch on CVE-2024-39397

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	Authentication required to exploit?	Exploit requires admin privileges?	CVSS base score	CVSS vector	CVE number(s)	Notes
Unrestricted Upload of File with Dangerous Type (CWE-434)	Arbitrary code execution	Critical	No	No	9.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H	CVE-2024-39397	Only merchants using the Apache web server are affected
Improper Restriction of Excessive Authentication Attempts (CWE-307)	Security feature bypass	Critical	Yes	Yes	7.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N	CVE-2024-39398
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)	Arbitrary file system read	Critical	Yes	Yes	7.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	CVE-2024-39399
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	Yes	Yes	8.1	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N	CVE-2024-39400
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)	Arbitrary code execution	Critical	Yes	Yes	8.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H	CVE-2024-39401
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)	Arbitrary code execution	Critical	Yes	Yes	8.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H	CVE-2024-39402
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Critical	Yes	Yes	7.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N	CVE-2024-39403
Information Exposure (CWE-200)	Security feature bypass	Important	Yes	Yes	6.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N	CVE-2024-39406
Improper Access Control (CWE-284)	Privilege escalation	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	CVE-2024-39404
Improper Access Control (CWE-284)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	CVE-2024-39405
Incorrect Authorization (CWE-863)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	CVE-2024-39407
Cross-Site Request Forgery (CSRF) (CWE-352)	Security feature bypass	Moderate	Yes	No	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	CVE-2024-39408
Cross-Site Request Forgery (CSRF) (CWE-352)	Security feature bypass	Moderate	Yes	No	4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N	CVE-2024-39409
Cross-Site Request Forgery (CSRF) (CWE-352)	Security feature bypass	Moderate	Yes	No	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	CVE-2024-39410
Improper Access Control (CWE-284)	Privilege escalation	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39411
Improper Authorization (CWE-285)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	CVE-2024-39412
Improper Authorization (CWE-285)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39413
Improper Access Control (CWE-284)	Privilege escalation	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39414
Improper Authorization (CWE-285)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39415
Improper Authorization (CWE-285)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39416
Improper Authorization (CWE-285)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39417
Improper Authorization (CWE-285)	Security feature bypass	Moderate	Yes	Yes	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N	CVE-2024-39418
Improper Access Control (CWE-284)	Privilege escalation	Moderate	Yes	Yes	4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	CVE-2024-39419

Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.

Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

Akash Hamal (akashhamal0x01) - CVE-2024-39404, CVE-2024-39405, CVE-2024-39407, CVE-2024-39411, CVE-2024-39412, CVE-2024-39413, CVE-2024-39414, CVE-2024-39415, CVE-2024-39416, CVE-2024-39417, CVE-2024-39418, CVE-2024-39419
wohlie - CVE-2024-39401, CVE-2024-39402, CVE-2024-39403
Javier Corral (corraldev) - CVE-2024-39398, CVE-2024-39400
Alexandrio (alexandrio) - CVE-2024-39408, CVE-2024-39409
Blaklis (blaklis) - CVE-2024-39406, CVE-2024-39410
T.H. Lassche (thlassche) - CVE-2024-39397
Icare (icare) - CVE-2024-39399

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe Security Bulletin

Summary

Affected Versions

Solution

Vulnerability Details

Acknowledgements

Get help faster and easier

Ask the Community

Contact Us