Headline
CVE-2023-29297: Adobe Security Bulletin
Adobe Commerce versions 2.4.6 (and earlier), 2.4.5-p2 (and earlier) and 2.4.4-p3 (and earlier) are affected by a Improper Neutralization of Special Elements Used in a Template Engine vulnerability that could lead to arbitrary code execution by an admin-privilege authenticated attacker. Exploitation of this issue does not require user interaction.
Security update available for Adobe Commerce | APSB23-35
Bulletin ID
Date Published
Priority
APSB23-35
June 13, 2023
3
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and arbitrary file system read.
Affected Versions
Product
Version
Platform
Adobe Commerce
2.4.6 and earlier
2.4.5-p2 and earlier
2.4.4-p3 and earlier
2.4.3-ext-2 and earlier*
2.4.2-ext-2 and earlier*
2.4.1-ext-2 and earlier*
2.4.0-ext-2 and earlier*
2.3.7-p4-ext-2 and earlier*
All
Magento Open Source
2.4.6 and earlier
2.4.5-p2 and earlier
2.4.4-p3 and earlier
All
Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.
* These versions are only applicable to customers participating in the Extended Support Program
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product
Updated Version
Platform
Priority Rating
Installation Instructions
Adobe Commerce
2.4.6-p1 for 2.4.6 and earlier
2.4.5-p3 for 2.4.5-p2 and earlier
2.4.4-p4 for 2.4.4-p3 and earlier
2.4.3-ext-3 for 2.4.3-ext-2 and earlier*
2.4.2-ext-3 for 2.4.2-ext-2 and earlier*
2.4.1-ext-3 for 2.4.1-ext-2 and earlier*
2.4.0-ext-3 for 2.4.0-ext-2 and earlier*
2.3.7-p4-ext-3 for 2.3.7-p4-ext-2 and earlier*
All
3
2.4.x release notes
Magento Open Source
2.4.6-p1 for 2.4.6 and earlier
2.4.5-p3 for 2.4.5-p2 and earlier
2.4.4-p4 for 2.4.4-p3 and earlier
All
3
Note: * These versions are only applicable to customers participating in the Extended Support Program
Vulnerability Details
Vulnerability Category
Vulnerability Impact
Severity
Authentication required to exploit?
Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s)
Information Exposure (CWE-200)
Security feature bypass
Important
No
No
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-29287
Incorrect Authorization (CWE-863)
Security feature bypass
Moderate
Yes
No
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2023-29288
XML Injection (aka Blind XPath Injection) (CWE-91)
Security feature bypass
Important
Yes
Yes
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2023-29289
Missing Support for Integrity Check (CWE-353)
Security feature bypass
Important
No
No
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2023-29290
Server-Side Request Forgery (SSRF) (CWE-918)
Security feature bypass
Important
Yes
Yes
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2023-29291
Server-Side Request Forgery (SSRF) (CWE-918)
Arbitrary file system read
Important
Yes
Yes
4.9
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2023-29292
Improper Input Validation (CWE-20)
Security feature bypass
Moderate
Yes
Yes
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
CVE-2023-29293
Business Logic Errors (CWE-840)
Security feature bypass
Moderate
Yes
No
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2023-29294
Incorrect Authorization (CWE-863)
Security feature bypass
Moderate
Yes
No
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2023-29295
Incorrect Authorization (CWE-863)
Security feature bypass
Moderate
Yes
No
4.3
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2023-29296
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical
Yes
Yes
9.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2023-29297
Incorrect Authorization (CWE-863)
Security feature bypass
Critical
No
No
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2023-22248
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- Aliefis Galih (aliefis) - CVE-2023-29289, CVE-2023-29294, CVE-2023-29295
- Sebastien Cantos (truff) - CVE-2023-29291, CVE-2023-29292
- Pieter Zandbergen (pmzandbergen) - CVE-2023-29290
- Tomasz Gregorczyk (silpion) - CVE-2023-29293
- Blaklis (blaklis) - CVE-2023-29297
- Kunal Pandey (kunal94) - CVE-2023-22248
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
For more information, visit https://helpx.adobe.com/security.html, or email [email protected].