Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zM2NqLXc3NWYtNDltMs4AAhlE

Magento 2 Community Edition Server-Side Request Forgery vulnerability

A server-side request forgery (SSRF) vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This can be exploited by an authenticated user with access to the admin panel to manipulate system configuration and execute arbitrary code.

Permalink: https://github.com/advisories/GHSA-33cj-w75f-49m2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zM2NqLXc3NWYtNDltMs4AAhlE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 3 months ago

CVSS Score: 7.2
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-33cj-w75f-49m2, CVE-2019-7911
References:

Blast Radius: 7.8

Affected Packages

packagist:magento/community-edition

Dependent packages: 12
Dependent repositories: 12
Downloads: 47,721 total
Affected Version Ranges: >= 2.3.0, < 2.3.2, >= 2.2.0, < 2.2.9, >= 2.1.0, < 2.1.18
Fixed in: 2.3.2, 2.2.9, 2.1.18
All affected versions: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.3.0, 2.3.1
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.18, 2.2.9, 2.2.10, 2.2.11, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7