Adobe Security Bulletin

Security update available for Adobe Commerce | APSB22-38

Bulletin ID

Date Published

Priority

APSB22-38

August 9, 2022
      

3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.

Affected Versions

Product Version Platform
 Adobe Commerce 2.4.3-p2 and earlier versions  
All
2.3.7-p3 and earlier versions   All
Adobe Commerce
2.4.4 and earlier versions  
All
Magento Open Source

2.4.3-p2 and earlier versions       

All
2.3.7-p3 and earlier versions All
Magento Open Source
2.4.4 and earlier versions  
All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce
2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5
All
3

2.4.x release notes

2.3.x release notes

Magento Open Source 
2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5
All
3

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
Magento Bug ID CVE number(s)
XML Injection (aka Blind XPath Injection) (CWE-91)
Arbitrary code execution
Critical Yes Yes 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
PRODSECBUG-3095
CVE-2022-34253
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Arbitrary code execution
Critical Yes No 8.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
PRODSECBUG-3081
CVE-2022-34254
Improper Input Validation (CWE-20)
Privilege escalation
Critical Yes No  8.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
PRODSECBUG-3082
CVE-2022-34255
Improper Authorization (CWE-285)
Privilege escalation
Critical No No 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
PRODSECBUG-3093
CVE-2022-34256
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Important No No 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
PRODSECBUG-3079
CVE-2022-34257
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Moderate Yes Yes 3.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
PRODSECBUG-3080
CVE-2022-34258
Improper Access Control (CWE-284)
Security feature bypass
Important No No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
PRODSECBUG-3180
CVE-2022-34259
Improper Authorization (CWE-285)
Security feature bypass
Moderate
No No 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
PRODSECBUG-3151
CVE-2022-35692

 

Acknowledgements

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

  • zb3 (zb3) -- CVE-2022-34253, CVE-2022-34255, CVE-2022-34256
  • Edgar Boda-Majer (eboda) - CVE-2022-34254, CVE-2022-34257
  • Salman Khan (salmanbabuzai) - CVE-2022-34258
  • Axel Flamcourt (axfla) - CVE-2022-34259, CVE-2022-35692

 

Revisions

August 22, 2022: Priority rating revision in Solution table

August 18, 2022: Added CVE-2022-35692

August 12, 2022: Updated values in "Authentication required to exploit" and "Exploit requires admin privileges."

 


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Adobe logo

Sign in to your account