Security Updates Available for Magento | APSB20-47
Bulletin ID Date Published Priority
ASPB20-47 July 28th, 2020       2

Summary

Magento has released updates for Magento Commerce 2 (formerly known as Magento Enterprise Edition) and Magento Open Source 2 (formerly known as Magento Community Edition). These updates resolve vulnerabilities rated Important and Critical .  Successful exploitation could lead to arbitrary code execution and signature verification bypass.



Affected Versions

Product Version Platform
Magento Commerce 2
2.3.5-p1 and earlier versions 
All
Magento Open Source 2
2.3.5-p1 and earlier versions
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Release Notes
Magento Commerce 2
2.4.0 All
2
2.4.0 Commerce
Magento Open Source 2
2.4.0 All
2
2.4.0 Open Source
         
Magento Commerce 2
2.3.5-p2 All 2 N/A
Magento Open Source 2
2.3.5-p2 All 2 N/A

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

Magento Bug ID CVE numbers
Path Traversal Arbitrary code execution Critical No Yes PRODSECBUG-2716 
CVE-2020-9689
Observable Timing Discrepancy Signature verification bypass
Important No Yes PRODSECBUG-2726
CVE-2020-9690
DOM-based Cross-Site Scripting
Arbitrary code execution
Important Yes No PRODSECBUG-2533 
CVE-2020-9691
Security Mitigation bypass 
Arbitrary code execution
Critical
No Yes PRODSECBUG-2769 
CVE-2020-9692 

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals for reporting the relevant issues and for working with Adobe to help protect our customers:   

  • Edgar Boda-Majer of Bugscale and Blaklis (CVE-2020-9689)
  • Wasin Sae-ngow (CVE-2020-9690)
  • Linus Särud (CVE-2020-9691) 
  • Edgar Boda-Majer of Bugscale (CVE-2020-9692)

Revisions