Adobe Security Bulletin

Security Updates Available for Magento | APSB20-47

Bulletin ID

Date Published

Priority

ASPB20-47

July 28th, 2020      

2

Summary

Magento has released updates for Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). These updates resolve vulnerabilities rated Important and Critical .  Successful exploitation could lead to arbitrary code execution and signature verification bypass.



Affected Versions

Product

Version

Platform

Magento Commerce 2

2.3.5-p1 and earlier versions 

All

Magento Open Source 2

2.3.5-p1 and earlier versions

All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Release Notes

Magento Commerce 2

2.4.0

All

2

Magento Open Source 2

2.4.0

All

2

 

 

 

 

 

Magento Commerce 2

2.3.5-p2

All

2

N/A

Magento Open Source 2

2.3.5-p2

All

2

N/A

Vulnerability details

Vulnerability Category

Vulnerability Impact

Severity

Pre-authentication?

Admin privileges required?

Magento Bug ID

CVE numbers

Path Traversal

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2716 

CVE-2020-9689

Observable Timing Discrepancy

Signature verification bypass

Important

No

Yes

PRODSECBUG-2726

CVE-2020-9690

DOM-based Cross-Site Scripting

Arbitrary code execution

Important

Yes

No

PRODSECBUG-2533 

CVE-2020-9691

Security Mitigation bypass 

Arbitrary code execution

Critical

No

Yes

PRODSECBUG-2769 

CVE-2020-9692 

Piezīme.

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Edgar Boda-Majer of Bugscale and Blaklis (CVE-2020-9689)
  • Wasin Sae-ngow (CVE-2020-9690)
  • Linus Särud (CVE-2020-9691) 
  • Edgar Boda-Majer of Bugscale (CVE-2020-9692)

Revisions

Adobe logotips

Pierakstieties savā kontā