Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNyZjIteG02eC00NnA2

Observable Timing Discrepancy in OpenMage LTS

Impact

This vulnerability allows to circumvent the formkey protection in the Admin Interface and increases the attack surface for Cross Site Request Forgery attacks

Patches

The latest OpenMage Versions up from 19.4.6 and 20.0.2 have this Issue solved

References

Related to Adobes CVE-2020-9690 ( https://helpx.adobe.com/security/products/magento/apsb20-47.html )
fixed in Magento2 https://github.com/magento/magento2/commit/52d72b8010c9cecb5b8e3d98ec5edc1ddcc65fb4
as part of 2.4.0/2.3.5-p2

Permalink: https://github.com/advisories/GHSA-crf2-xm6x-46p6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWNyZjIteG02eC00NnA2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: about 1 year ago

CVSS Score: 8.0
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Identifiers: GHSA-crf2-xm6x-46p6, CVE-2020-15151
References:

Repository: https://github.com/OpenMage/magento-lts
Blast Radius: 11.9

Affected Packages

packagist:openmage/magento-lts

Dependent packages: 21
Dependent repositories: 31
Downloads: 145,779 total
Affected Version Ranges: >= 20.0.0, < 20.0.2, < 19.4.6
Fixed in: 20.0.2, 19.4.6
All affected versions: 19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 20.0.0, 20.0.1
All unaffected versions: 19.4.6, 19.4.7, 19.4.8, 19.4.9, 19.4.10, 19.4.11, 19.4.12, 19.4.13, 19.4.14, 19.4.15, 19.4.16, 19.4.17, 19.4.18, 19.4.19, 19.4.20, 19.4.21, 19.4.22, 19.4.23, 19.5.0, 19.5.1, 19.5.2, 19.5.3, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 20.0.10, 20.0.11, 20.0.12, 20.0.13, 20.0.14, 20.0.15, 20.0.16, 20.0.17, 20.0.18, 20.0.19, 20.0.20, 20.1.0, 20.1.1, 20.2.0, 20.3.0, 20.4.0, 20.5.0, 20.6.0