Magento software

New RCE flaw added to Adobe Commerce, Magento security advisory

Adobe has updated its advisory on an actively exploited critical vulnerability in the open source Magento and Commerce platforms to include another RCE bug.

The tech giant issued revisions to the advisory on February 17.

Adobe originally released an out-of-band patch on February 13 to address CVE-2022-24086, a critical pre-authorization vulnerability that can be exploited by attackers to remotely execute arbitrary code.

CVE-2022-24086 received a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited “in very limited attacks targeting Adobe Commerce merchants.”

Now Adobe has added another vulnerability to the advisory, CVE-2022-24087.

“We have discovered additional security protections needed for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said.

The vulnerability also received a CVSS score of 9.8 and affects the same products in the same way.

The security flaws require no administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE).

As CVE-2022-24086 is abused in nature, Adobe has not released further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they to have been able to replicate the vulnerability.

Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1 are impacted. However, versions 2.3.0 to 2.3.3 are not affected by the vulnerabilities, according to the company.

Adobe has provided a guide for users to manually install the necessary security patches.

Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. In a tweetBlaklis said the first patch to resolve CVE-2022-24086 is “not enough” and urged Magento & Commerce users to apply the new patches.

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0