Bulletin ID
        
            
                Last updated on 
                
                    27 Des 2022
                
            
            
        
        
    
Security update available for Adobe Commerce | APSB22-13 
|  | Date Published | Priority | 
|---|---|---|
| APSB22-13 | April 12, 2022 | 3 | 
Summary
Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution.
Affected Versions
| Product | Version | Platform | 
|---|---|---|
| Adobe Commerce | 2.4.3-p1 and earlier versions | All | 
| 2.3.7-p2 and earlier versions | All | |
| Magento Open Source | 2.4.3-p1 and earlier versions        | All | 
| 2.3.7-p2 and earlier versions | All | 
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions | 
|---|---|---|---|---|
| Adobe Commerce | 2.3.7-p3, 2.4.3-p2, 2.4.4 | All | 1 | |
| Magento Open Source | 2.3.7-p3, 2.4.3-p2, 2.4.4 | All | 1 | 
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? | CVSS base score | CVSS vector | Magento Bug ID | CVE number(s) | 
|---|---|---|---|---|---|---|---|---|
| Improper Input Validation (CWE-20) | Arbitrary code execution | Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-3137 | CVE-2022-24093 | 
Acknowledgements
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
- Blaklis and Eboda - CVE-2022-24093
 
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.