Security Updates Available for Magento | APSB20-22
Bulletin ID Date Published Priority
ASPB20-22
April 28, 2020      
2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings).  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product Version Platform
Magento Commerce 

2.3.4 and earlier versions    

All
Magento Open Source   

2.3.4 and earlier versions    

All

Magento Commerce 

2.2.11 and earlier versions (see note)

All

Magento Open Source  

2.2.11 and earlier versions (see note)

All

Magento Enterprise Edition    

1.14.4.4 and earlier versions    

All

Magento Community Edition  

1.9.4.4 and earlier versions

All

Opomba:

Magento 2.2x reached end of support on December 31, 2019.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Version Platform Priority Rating Availability
Magento Commerce    
2.3.4-p2 All 2 2.3.4-p2 Commerce
Magento Open Source    
2.3.4-p2 All
2

2.3.4-p2 Open Source

Magento Commerce    
2.3.5-p1 All
2
2.3.5 Commerce
Magento Open Source    
2.3.5-p1 All
2
2.3.5 Open Source
Magento Enterprise Edition    
1.14.4.5 All
2
1.14.4.5
Magento Community Edition    
1.9.4.5 All
2
1.9.4.5

Opomba:

Magento Commerce 2.2.12 is available exclusively to extended support Commerce customers.

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

Magento Bug ID CVE numbers
Command injection



Arbitrary code execution



Critical



No Yes PRODSECBUG-2707



CVE-2020-9576



Stored cross-site scripting    



Sensitive information disclosure    



Important Yes



No PRODSECBUG-2671



CVE-2020-9577 



Command injection



Arbitrary code execution



Critical 



No Yes PRODSECBUG-2695



CVE-2020-9578  



Security mitigation bypass



Arbitrary code execution



Critical



No



Yes



PRODSECBUG-2696



CVE-2020-9579
Security mitigation bypass



Arbitrary code execution Critical



No



Yes



PRODSECBUG-2697



CVE-2020-9580
Stored cross-site scripting



Sensitive information disclosure



Important



No



Yes



PRODSECBUG-2700



CVE-2020-9581
Command injection



Arbitrary code execution



Critical



No



Yes



PRODSECBUG-2708



CVE-2020-9582
Command injection



Arbitrary code execution



Critical



No



Yes



PRODSECBUG-2710



CVE-2020-9583
Stored cross-site scripting



Sensitive information disclosure



Important



Yes



No



PRODSECBUG-2715



CVE-2020-9584
Defense-in-depth security mitigation



Arbitrary code execution



Moderate



No



Yes



PRODSECBUG-2541



CVE-2020-9585
Defense-in-depth security mitigation



Unauthorized access to admin panel



Moderate



Yes Yes



MPERF-10898



CVE-2020-9591



Authorization bypass



Potentially unauthorized product discounts



Moderate



Yes



No



PRODSECBUG-2518



CVE-2020-9587



Observable Timing Discrepancy Signature verification bypass



Important



No



Yes



PRODSECBUG-2677



CVE-2020-9588
Business logic error Privilege escalation Important No Yes PRODSECBUG-2722 CVE-2020-9630
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2703 CVE-2020-9631
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2704 CVE-2020-9632

Opomba:

1.     CVE-2020-9585 is mitigated in default installs

2.     CVE-2020-9591 exclusively impacts Magento 1

Opomba:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:  

  • Blaklis (CVE-2020-9576, CVE-2020-9579, CVE-2020-9581, CVE-2020-9582, CVE-2020-9583, CVE-2020-9584)
  • Flatmoon (CVE-2020-9577)
  • Y0natan (CVE-2020-9578)
  • Edgar Boda-Majer (CVE-2020-9580)
  • Qubitz (CVE-2020-9585)
  • Magnusg (CVE-2020-9587)
  • Wasin Sae-ngow (CVE-2020-9588)
  • Max Chadwick (CVE-2020-9630)

 

Revisions

May 4, 2020: Removed acknowledgement for CVE-2020-9586.

May 7, 2020: Added CVE-2020-9630, which was inadvertently omitted from original version. 

May 12, 2020: Added CVE-2020-9631 and CVE-2020-9632, which were inadvertently omitted from original version.