Adobe Security Bulletin

Security update available for Adobe Commerce | APSB24-40

Bulletin ID

Date Published

Priority

APSB24-40

June 11, 2024

1

Summary

Adobe has released a security update for Adobe Commerce,  Magento Open Source and Adobe Commerce Webhooks Plugin. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution, security feature bypass and privilege escalation.

Adobe is aware that CVE-2024-34102 has been exploited in the wild in limited attacks targeting Adobe Commerce merchants.

Affected Versions

Product Version Platform
 Adobe Commerce
2.4.7 and earlier
2.4.6-p5 and earlier
2.4.5-p7 and earlier
2.4.4-p8 and earlier
2.4.3-ext-7 and earlier*
2.4.2-ext-7 and earlier*
All
Magento Open Source 2.4.7 and earlier
2.4.6-p5 and earlier
2.4.5-p7 and earlier
2.4.4-p8 and earlier
All
Adobe Commerce Webhooks Plugin
1.2.0 to 1.4.0
Manual Plugin Installation

Note: For clarity, the affected versions listed are now listed for each supported release line instead of only the most recent versions.

* These versions are only applicable to customers participating in the Extended Support Program

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce

2.4.7-p1 for 2.4.7 and earlier
2.4.6-p6 for 2.4.6-p5 and earlier
2.4.5-p8 for 2.4.5-p7 and earlier
2.4.4-p9 for 2.4.4-p8 and earlier
2.4.3-ext-8 for 2.4.3-ext-7 and earlier*
2.4.2-ext-8 for 2.4.2-ext-7 and earlier*

All
1 2.4.x release notes
Magento Open Source 

2.4.7-p1 for 2.4.7 and earlier
2.4.6-p6 for 2.4.6-p5 and earlier
2.4.5-p8 for 2.4.5-p7 and earlier
2.4.4-p9 for 2.4.4-p8 and earlier

All
1
Adobe Commerce Webhooks Plugin
1.5.0 Manual Plugin Installation 1 Upgrade Modules and Extensions
Adobe Commerce and Magento Open Source 

Isolated patch for CVE-2024-34102: ACSD-60241

 

Compatable with all Adobe Commerce and Magento Open Source versions between 2.4.4 - 2.4.7

All 1

Release Notes for Isolated Patch 

 

Note: * These versions are only applicable to customers participating in the Extended Support Program

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity Authentication required to exploit? Exploit requires admin privileges?
CVSS base score
CVSS vector
CVE number(s) Notes
Server-Side Request Forgery (SSRF) (CWE-918)
Arbitrary code execution
Critical Yes Yes 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CVE-2024-34111
None
Improper Restriction of XML External Entity Reference ('XXE') (CWE-611)
Arbitrary code execution
Critical No No 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-34102
None
Improper Authentication (CWE-287)
Privilege escalation
Critical No No 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-34103
None
Improper Authorization (CWE-285)
Security feature bypass
Critical
Yes No 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVE-2024-34104
None
Improper Input Validation (CWE-20)
Arbitrary code execution
Critical
Yes
Yes
9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2024-34108     

 

Adobe Commerce Webhooks Plugin
Improper Input Validation (CWE-20)
Arbitrary code execution
Critical Yes
Yes
8.0 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2024-34109 Adobe Commerce Webhooks Plugin
Unrestricted Upload of File with Dangerous Type (CWE-434)
Arbitrary code execution
Critical Yes
Yes
8.0 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2024-34110 Adobe Commerce Webhooks Plugin
Cross-site Scripting (Stored XSS) (CWE-79)
Arbitrary code execution
Important Yes Yes 4.8 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVE-2024-34105 None
Improper Authentication (CWE-287)
Security feature bypass
Important Yes No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVE-2024-34106 None
Improper Access Control (CWE-284)
Security feature bypass
Important
No No 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2024-34107 None
Note:

Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.


Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.

Acknowledgements

Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:

  • wohlie - CVE-2024-34108, CVE-2024-34109, CVE-2024-34110
  • T.H. Lassche (thlassche) - CVE-2024-34104, CVE-2024-34107
  • spacewasp - CVE-2024-34102
  • persata - CVE-2024-34103
  • Geluchat (geluchat) - CVE-2024-34105
  • Akash Hamal (akashhamal0x01) - CVE-2024-34111
  • pranoy_2022 - CVE-2024-34106

NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.

Revisions

July 8, 2024:

  1. Priority revised to 1.

June 27, 2024: 

  1. Adobe has provided an isolated patch for CVE-2024-34102. 

June 26, 2024:

  1. Revised Bulletin priority from 3 to 2. Adobe is aware that there is a publicly available writeup related to CVE-2024-34102.
  2. Removed inapplicable end-of-life extended support versions from Affected and Solution versions tables

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

 Adobe

Get help faster and easier

New user?

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX 2024

Adobe MAX
The Creativity Conference

Oct 14–16 Miami Beach and online

Adobe MAX

The Creativity Conference

Oct 14–16 Miami Beach and online