Adobe Security Bulletin

Security update available for Adobe Commerce | APSB24-73

Bulletin ID

Date Published

Priority

APSB24-73

October 08, 2024

2

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves criticalimportant and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass and privilege escalation.

Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

Affected Versions

Product Version Platform
 Adobe Commerce
2.4.7-p2 and earlier
2.4.6-p7 and earlier
2.4.5-p9 and earlier
2.4.4-p10 and earlier
All
Adobe Commerce B2B
1.4.2-p2 and earlier
1.3.5-p7 and earlier
1.3.4-p9 and earlier
1.3.3-p10 and earlier
All
Magento Open Source 2.4.7-p2 and earlier
2.4.6-p7 and earlier
2.4.5-p9 and earlier
2.4.4-p10 and earlier
All

Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce

2.4.7-p3 for 2.4.7-p2 and earlier
2.4.6-p8 for 2.4.6-p7 and earlier
2.4.5-p10 for 2.4.5-p9 and earlier
2.4.4-p11 for 2.4.4-p10 and earlier

All
3

2.4.x release notes

 

 

Release Notes for Isolated Patch on CVE-2024-45115

Adobe Commerce B2B
1.4.2-p3 for 1.4.2-p2 and earlier
1.3.5-p8 for 1.3.5-p7 and earlier
1.3.4-p10 for 1.3.4-p9 and earlier
1.3.3-p11 for 1.3.3-p10 and earlier
All 2
Adobe Commerce B2B

Isolated patch for CVE-2024-45115

Compatible with all Adobe Commerce B2B versions between 1.3.3 - 1.4.2

All  2
Magento Open Source 

2.4.7-p3 for 2.4.7-p2 and earlier
2.4.6-p8 for 2.4.6-p7 and earlier
2.4.5-p10 for 2.4.5-p9 and earlier
2.4.4-p11 for 2.4.4-p10 and earlier

All
3

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s) Notes
Improper Authentication (CWE-287)
Privilege escalation
Critical
No No 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-45115 Only applies to B2B edition
Improper Authentication (CWE-287)
Security feature bypass
Critical No No 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2024-45148
Only applies to B2B edition
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical Yes Yes 8.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
CVE-2024-45116  
Improper Input Validation (CWE-20)
Arbitrary file system read
Critical
Yes Yes 7.6 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
CVE-2024-45117  
Improper Access Control (CWE-284)
Security feature bypass
Important Yes Yes 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE-2024-45118  
Server-Side Request Forgery (SSRF) (CWE-918)
Arbitrary file system read
Important Yes Yes 5.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
CVE-2024-45119  
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Security feature bypass Moderate Yes No 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2024-45120  
Improper Access Control (CWE-284)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-45121  
Improper Access Control (CWE-284)
Security feature bypass
Moderate
Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVE-2024-45122  
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical Yes Yes 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVE-2024-45123  
Improper Access Control (CWE-284)
Security feature bypass
Important Yes No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2024-45124  
Incorrect Authorization (CWE-863)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-45125  
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Critical Yes Yes 4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVE-2024-45127  
Improper Authorization (CWE-285)
Security feature bypass
Important Yes Yes 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CVE-2024-45128  
Improper Access Control (CWE-284)
Privilege escalation
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-45129  
Improper Access Control (CWE-284)
Security feature bypass
Moderate Yes Yes 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE-2024-45130  
Improper Authorization (CWE-285)
Security feature bypass
Important Yes Yes 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CVE-2024-45131  
Improper Authorization (CWE-285)
Privilege escalation
Important Yes Yes 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2024-45132  
Improper Access Control (CWE-284)
Security feature bypass
Moderate Yes Yes 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVE-2024-45133  
Information Exposure (CWE-200)
Security feature bypass
Moderate Yes Yes 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVE-2024-45134  
Improper Access Control (CWE-284)
Security feature bypass
Moderate Yes No 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVE-2024-45135  
Improper Access Control (CWE-284)
Security feature bypass
Moderate

Yes Yes 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
CVE-2024-45149
 
Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.


Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

  • Akash Hamal (akashhamal0x01) - CVE-2024-45118, CVE-2024-45120, CVE-2024-45121, CVE-2024-45122, CVE-2024-45128, CVE-2024-45129, CVE-2024-45130, CVE-2024-45131, CVE-2024-45132
  • Blaklis (blaklis) -CVE-2024-45115, CVE-2024-45123, CVE-2024-45133, CVE-2024-45134, CVE-2024-45135, CVE-2024-45148, CVE-2024-45149
  • wohlie - CVE-2024-45117
  • Javier Corral (corraldev) - CVE-2024-45116
  • truff - CVE-2024-45119
  • Prashant Bhattarai (g0ndaar) - CVE-2024-45124
  • n1nj4sec - CVE-2024-45125
  • Tara Owens (tmoh4kr) - CVE-2024-45127

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.


For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online