Bulletin ID
Security Updates Available for Adobe Commerce | APSB21-64
|  | Date Published | Priority | 
|---|---|---|
| APSB21-64 | August 11, 2021 | 2 | 
Summary
Affected Versions
| Product | Version | Platform | 
|---|---|---|
| Adobe Commerce | 2.4.2 and earlier versions | All | 
| 2.4.2-p1 and earlier versions | All | |
| 2.3.7 and earlier versions | All | |
| Magento Open Source | 2.4.2-p1 and earlier versions | All | 
| 2.3.7 and earlier versions | All | 
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Release Notes | 
|---|---|---|---|---|
| Adobe Commerce | 2.4.3 | All | 2 | |
| 2.4.2-p2 | All | 2 | ||
| 2.3.7-p1 | All | 2 | ||
| Magento Open Source | 2.4.3 | All | 2 | |
| 2.4.2-p2 | All | 2 | ||
| 2.3.7-p1 | All | 2 | 
Vulnerability details
| Vulnerability Category | Vulnerability Impact | Severity | Pre-authentication? | Admin privileges required? | CVSS base score | CVSS vector | Magento Bug ID | CVE numbers | 
|---|---|---|---|---|---|---|---|---|
| Business Logic Errors (CWE-840) | Security feature bypass | Important | yes | no | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | PRODSECBUG-2934 | CVE-2021-36012 | 
| Cross-site Scripting (Stored XSS) (CWE-79) | Arbitrary code execution | Important | no | no | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | PRODSECBUG-2963 PRODSECBUG-2964 | CVE-2021-36026 CVE-2021-36027 
 | 
| Improper Access Control (CWE-284) | Arbitrary code execution | Critical | yes | yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-2977 | CVE-2021-36036 | 
| Improper Authorization (CWE-285) | Security feature bypass | Critical | yes | yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-2968 | CVE-2021-36029 | 
| Improper Authorization (CWE-285) | Security feature bypass | Important | no | no | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | PRODSECBUG-2980 | CVE-2021-36037 | 
| Improper Input Validation (CWE-20) | Application denial-of-service | Critical | No | no | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | PRODSECBUG-3004 | CVE-2021-36044 | 
| Improper Input Validation (CWE-20) | Privilege escalation | Critical | yes | no | 8.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L | PRODSECBUG-2971 | CVE-2021-36032 | 
| Improper Input Validation (CWE-20) | Security feature bypass | Critical | no | no | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N | PRODSECBUG-2969 | CVE-2021-36030 | 
| Improper Input Validation (CWE-20) | Security feature bypass | Important | no | no | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | PRODSECBUG-2982 | CVE-2021-36038 | 
| Improper Input Validation (CWE-20) | Arbitrary code execution | Critical | yes | yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-2959 PRODSECBUG-2960 PRODSECBUG-2962 PRODSECBUG-2975 PRODSECBUG-2976 PRODSECBUG-2987 PRODSECBUG-2988 PRODSECBUG-2992 | CVE-2021-36021 CVE-2021-36024 CVE-2021-36025 CVE-2021-36034 CVE-2021-36035 CVE-2021-36040 CVE-2021-36041 CVE-2021-36042 | 
| Path Traversal (CWE-22) | Arbitrary code execution | Critical | yes | yes | 7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | PRODSECBUG-2970 | CVE-2021-36031 | 
| OS Command Injection (CWE-78) | Arbitrary code execution | Critical | yes | yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-2958 PRODSECBUG-2960 | CVE-2021-36022 CVE-2021-36023 | 
| Incorrect Authorization (CWE-863) | Arbitrary file system read | Important | yes | no | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | PRODSECBUG-2984 | CVE-2021-36039 | 
| Server-Side Request Forgery (SSRF) (CWE-918) | Arbitrary code execution | Critical | yes | yes | 8 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-2996 | CVE-2021-36043 | 
| XML Injection (aka Blind XPath Injection) (CWE-91) | Arbitrary code execution | Critical | no | no | 8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N | PRODSECBUG-2937 | CVE-2021-36020 | 
| XML Injection (aka Blind XPath Injection) (CWE-91) | Arbitrary code execution | Critical | yes | yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | PRODSECBUG-2965 PRODSECBUG-2972 | CVE-2021-36028 CVE-2021-36033 | 
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges.
Acknowledgments
Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:
- Blaklis (CVE-2021-36023, CVE-2021-36026, CVE-2021-36027, CVE-2021-36036, CVE-2021-36029, CVE-2021-36021, CVE-2021-36024, CVE-2021-36025, CVE-2021-36034, CVE-2021-36035, CVE-2021-36031)
- Igorsdv (CVE-2021-36012)
- Zb3 (CVE-2021-36037, CVE-2021-36032, CVE-2021-36038, CVE-2021-36040, CVE-2021-36041, CVE-2021-36042, CVE-2021-36039, CVE-2021-36043, CVE-2021-36033, CVE-2021-36028)
- Dftrace (CVE-2021-36044)
- Floorz (CVE-2021-36030)
- Eboda (CVE-2021-36022)
- Trivani Pant on behalf of Broadway Photo Supply Limited (CVE-2021-36020)
 
Revisions
August 13, 2021: Updated Magento/Magento commerce with Adobe Commerce.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.