CVE-2023-38251: Adobe Security Bulletin

Security update available for Adobe Commerce | APSB23-50

Bulletin ID

Date Published

Priority

APSB23-50

October 10, 2023

3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass and application denial-of-service.

Affected Versions

Product

Version

Platform

Adobe Commerce

2.4.7-beta1 and earlier
2.4.6-p2 and earlier
2.4.5-p4 and earlier
2.4.4-p5 and earlier
2.4.3-ext-4 and earlier*
2.4.2-ext-4 and earlier*
2.4.1-ext-4 and earlier*
2.4.0-ext-4 and earlier*
2.3.7-p4-ext-4 and earlier*

All

Magento Open Source

2.4.7-beta1 and earlier
2.4.6-p2 and earlier
2.4.5-p4 and earlier
2.4.4-p5 and earlier

All

Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.
* These versions are only applicable to customers participating in the Extended Support Program

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Installation Instructions

Adobe Commerce

2.4.7-beta2 for 2.4.7-beta1 and earlier
2.4.6-p3 for 2.4.6-p2 and earlier
2.4.5-p5 for 2.4.5-p4 and earlier
2.4.4-p6 for 2.4.4-p5 and earlier
2.4.3-ext-5 for 2.4.3-ext-4 and earlier*
2.4.2-ext-5 for 2.4.2-ext-4 and earlier*
2.4.1-ext-5 for 2.4.1-ext-4 and earlier*
2.4.0-ext-5 for 2.4.0-ext-4 and earlier*
2.3.7-p4-ext-5 for 2.3.7-p4-ext-4 and earlier*

All

3

2.4.x release notes

Magento Open Source

2.4.7-beta2 for 2.4.7-beta1 and earlier
2.4.6-p3 for 2.4.6-p2 and earlier
2.4.5-p5 for 2.4.5-p4 and earlier
2.4.4-p6 for 2.4.4-p5 and earlier

All

3

Note: * These versions are only applicable to customers participating in the Extended Support Program

Vulnerability Details

Vulnerability Category

Vulnerability Impact

Severity

Authentication required to exploit?

Exploit requires admin privileges?

CVSS base score

CVSS vector

CVE number(s)

Improper Input Validation (CWE-20)

Privilege escalation

Critical

No

No

8.8

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-38218

Cross-site Scripting (Stored XSS) (CWE-79)

Privilege escalation

Critical

Yes

Yes

8.4

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVE-2023-38219

Improper Authorization (CWE-285)

Security feature bypass

Critical

Yes

No

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2023-38220

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)

Arbitrary code execution

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-38221

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)

Arbitrary code execution

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-38249

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) (CWE-89)

Arbitrary code execution

Critical

Yes

Yes

8.0

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2023-38250

Information Exposure (CWE-200)

Arbitrary code execution

Critical

Yes

Yes

7.6

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

CVE-2023-26367

Uncontrolled Resource Consumption (CWE-400)

Application denial-of-service

Important

No

No

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2023-38251

Server-Side Request Forgery (SSRF) (CWE-918)

Arbitrary file system read

Important

Yes

Yes

6.8

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

CVE-2023-26366

Cross-site Scripting (XSS) (CWE-79)

Arbitrary code execution

Important

Yes

Yes

5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE-2023-26368

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.

Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

• wohlie - CVE-2023-38220, CVE-2023-38221, CVE-2023-38249, CVE-2023-38250, CVE-2023-38251, CVE-2023-26367

• Blaklis - CVE-2023-38219

• fqdn - CVE-2023-38218

• Sebastien Cantos (truff) - CVE-2023-26366

• Yim Bryan H.T. (CITD) - CVE-2023-26368

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

For more information, visit https://helpx.adobe.com/security.html, or email [email protected].