Adobe Security Bulletin

Security update available for Adobe Commerce | APSB22-12

Bulletin ID

Date Published

Last Updated

Priority

APSB22-12

February 13, 2022
      

February 17, 2022

1

Summary

Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution. 

In order to stay up to date with the latest protections, customers must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it. 

Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.     

Affected Versions

Product Version Platform
 Adobe Commerce 2.4.3-p1 and earlier versions  
All
2.3.7-p2 and earlier versions  
All
Magento Open Source

2.4.3-p1 and earlier versions       

All
2.3.7-p2 and earlier versions All

Note: Adobe Commerce and Magento Open Source versions 2.3.0 to 2.3.3 are not affected.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Installation Instructions

Adobe Commerce 2.4.3 - 2.4.3-p1


Magento Open Source 2.4.3 - 2.4.3-p1

All

Release Notes

   

Adobe Commerce 2.3.4-p2 - 2.4.2-p2

 

Magento Open Source 2.3.4-p2 - 2.4.2-p2

   

Adobe Commerce 2.3.3-p1 - 2.3.4

 

Magento Open Source 2.3.3-p1 - 2.3.4

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
Magento Bug ID CVE number(s)

Improper Input Validation (CWE-20

Arbitrary Code Execution 

Critical

No

No

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-3118

CVE-2022-24086

 

Improper Input Validation (CWE-20
Arbitrary Code Execution 
Critical
No No 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
PRODSECBUG-3120
CVE-2022-24087

 

Revisions

February 17th, 2022:

      - Updated affected versions for CVE-2022-24086

      - Updated CVE details and acknowledgements for CVE-2022-24087

February 14th, 2022: 

      - Clarified column headers in Vulnerability Details table

Acknowledgements

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

  • Eboda & Blaklis (CVE-2022-24087)

 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online