Security Updates Available for Magento | APSB20-02
Bulletin ID Date Published Priority
APSB20-02  January 28, 2020 2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product Version Platform
Magento Commerce 
2.3.3 and earlier versions    
All
Magento Open Source   
2.3.3 and earlier versions    
All
Magento Commerce 
2.2.10 and earlier versions    
All
Magento Open Source  
2.2.10 and earlier versions    
All
Magento Enterprise Edition    
1.14.4.3 and earlier versions    
All
Magento Community Edition   
1.9.4.3 and earlier versions    
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Version Platform Priority Rating Availability
Magento Commerce    
2.3.4 All 2 2.3.4 Commerce
Magento Open Source    
2.3.4 All
2
2.3.4 Open Source
Magento Commerce    
2.2.11 All
2
2.2.11 Commerce
Magento Open Source    
2.2.11 All
2
2.2.11 Open Source
Magento Enterprise Edition    
1.14.4.4 All
2
1.14.4 EE
Magento Community Edition    
1.9.4.4 All
2
1.9.4.4 CE

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Magento Bug ID    
CVE Numbers
Stored cross-site scripting    
Sensitive information disclosure    
Important PRODSECBUG-2543    
CVE-2020-3715    
Stored cross-site scripting    
Sensitive information disclosure    
Important    
PRODSECBUG-2599
CVE-2020-3758
Deserialization of untrusted data    
Arbitrary code execution    
Critical    
PRODSECBUG-2579
CVE-2020-3716
Path traversal    
Sensitive information disclosure    
Important    
PRODSECBUG-2632
CVE-2020-3717
Security bypass    
Arbitrary code execution    
Critical    
PRODSECBUG-2633
CVE-2020-3718
SQL injection    
Sensitive information disclosure    
Critical    
PRODSECBUG-2660
CVE-2020-3719

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:   

·       Ernesto Martin (CVE-2020-3715)

·       Blaklis (CVE-2020-3716, CVE-2020-3717, CVE-2020-3718)

·       Luke Rodgers (CVE-2020-3719)

·       Djordje Marjanovic (CVE-2020-3758)