Bulletin ID
Last updated on
26 Jul 2024
Security update available for Adobe Commerce | APSB24-40
|
|
Date Published |
Priority |
|---|---|---|
|
APSB24-40 |
June 11, 2024 |
1 |
Summary
Adobe has released a security update for Adobe Commerce, Magento Open Source and Adobe Commerce Webhooks Plugin. This update resolves critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and privilege escalation.
Adobe is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.
Affected Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce |
2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier 2.4.3-ext-7 and earlier* 2.4.2-ext-7 and earlier* |
All |
| Magento Open Source | 2.4.7 and earlier 2.4.6-p5 and earlier 2.4.5-p7 and earlier 2.4.4-p8 and earlier |
All |
| Adobe Commerce Webhooks Plugin |
1.2.0 to 1.4.0 |
Manual Plugin Installation |
Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.
* These versions are only applicable to customers participating in the Extended Support Program
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce |
2.4.7-p1 for 2.4.7 and earlier |
All |
1 | 2.4.x release notes |
| Magento Open Source |
2.4.7-p1 for 2.4.7 and earlier |
All |
1 | |
| Adobe Commerce Webhooks Plugin |
1.5.0 | Manual Plugin Installation | 1 | Upgrade Modules and Extensions |
| Adobe Commerce and Magento Open Source | Isolated patch for CVE-2024-34102: ACSD-60241
Compatable with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7 |
All | 1 | Release Notes for Isolated Patch
|
| Note: * These versions are only applicable to customers participating in the Extended Support Program | ||||
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) | Notes |
|---|---|---|---|---|---|---|---|---|
| Server-Side Request Forgery (SSRF) (CWE-918) |
Arbitrary code execution |
Critical | Yes | Yes | 8.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
CVE-2024-34111 |
None |
| Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) |
Arbitrary code execution |
Critical | No | No | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2024-34102 |
None |
| Improper Authentication (CWE-287) |
Privilege escalation |
Critical | No | No | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2024-34103 |
None |
| Improper Authorization (CWE-285) |
Security feature bypass |
Critical |
Yes | No | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
CVE-2024-34104 |
None |
| Improper Input Validation (CWE-20) |
Arbitrary code execution |
Critical |
Yes |
Yes |
9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2024-34108
|
Adobe Commerce Webhooks Plugin |
| Improper Input Validation (CWE-20) |
Arbitrary code execution |
Critical | Yes |
Yes |
8.0 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2024-34109 | Adobe Commerce Webhooks Plugin |
| Unrestricted Upload of File with Dangerous Type (CWE-434) |
Arbitrary code execution |
Critical | Yes |
Yes |
8.0 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2024-34110 | Adobe Commerce Webhooks Plugin |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Important | Yes | Yes | 4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
CVE-2024-34105 | None |
| Improper Authentication (CWE-287) |
Security feature bypass |
Important | Yes | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2024-34106 | None |
| Improper Access Control (CWE-284) |
Security feature bypass |
Important |
No | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2024-34107 | None |
Note:
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- wohlie - CVE-2024-34108, CVE-2024-34109, CVE-2024-34110
- T.H. Lassche (thlassche) - CVE-2024-34104, CVE-2024-34107
- spacewasp - CVE-2024-34102
- persata - CVE-2024-34103
- Geluchat (geluchat) - CVE-2024-34105
- Akash Hamal (akashhamal0x01) - CVE-2024-34111
- pranoy_2022 - CVE-2024-34106
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
Revisions
July 8, 2024:
- Priority revised to 1.
June 27, 2024:
- Adobe has provided an isolated patch for CVE-2024-34102.
June 26, 2024:
- Revised Bulletin priority from 3 to 2. Adobe is aware that there is a publicly available writeup related to CVE-2024-34102.
- Removed inapplicable end-of-life extended support versions from Affected and Solution versions tables
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.