Headline
CVE-2022-24093: Adobe Security Bulletin
Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability. Exploitation of this issue does not require user interaction and could result in a post-authentication arbitrary code execution.
Security update available for Adobe Commerce | APSB22-13
Bulletin ID
Date Published
Priority
APSB22-13
April 12, 2022
3
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution.
Affected Versions
Product
Version
Platform
Adobe Commerce
2.4.3-p1 and earlier versions
All
2.3.7-p2 and earlier versions
All
Magento Open Source
2.4.3-p1 and earlier versions
All
2.3.7-p2 and earlier versions
All
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Installation Instructions
Adobe Commerce
2.3.7-p3, 2.4.3-p2, 2.4.4
All
1
2.4.x release notes
2.3.x release notes
Magento Open Source
2.3.7-p3, 2.4.3-p2, 2.4.4
All
1
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
Authentication required to exploit?
Exploit requires admin privileges?
CVSS base score
CVSS vector
Magento Bug ID
CVE number(s)
Improper Input Validation (CWE-20)
Arbitrary code execution
Critical
Yes
Yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-3137
CVE-2022-24093
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
- Blaklis and Eboda - CVE-2022-24093
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].