BIT-magento-2021-36036

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/magento/BIT-magento-2021-36036.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-magento-2021-36036

Aliases

CVE-2021-36036

Published

2024-03-06T10:57:23.602Z

Modified

2025-02-26T16:37:33.026Z

Summary

[none]

Details

Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper access control vulnerability within Magento's Media Gallery Upload workflow. By storing a specially crafted file in the website gallery, an authenticated attacker with administrative privilege can gain access to delete the .htaccess file. This could result in the attacker achieving remote code execution.

Database specific

{
    "cpes": [
        "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*",
        "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*",
        "cpe:2.3:a:magento:magento:2.3.7:-:*:*:commerce:*:*:*",
        "cpe:2.3:a:magento:magento:2.3.7:-:*:*:open_source:*:*:*",
        "cpe:2.3:a:magento:magento:2.4.2:-:*:*:commerce:*:*:*",
        "cpe:2.3:a:magento:magento:2.4.2:-:*:*:open_source:*:*:*",
        "cpe:2.3:a:magento:magento:2.4.2:p1:*:*:commerce:*:*:*",
        "cpe:2.3:a:magento:magento:2.4.2:p1:*:*:open_source:*:*:*"
    ],
    "severity": "High"
}

References

https://helpx.adobe.com/security/products/magento/apsb21-64.html

Affected packages

Bitnami / magento

Package

Name: magento
Purl: pkg:bitnami/magento

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.7

Introduced

2.4.0

Fixed

2.4.2

Type: SEMVER
Events: Introduced

2.3.7

Last affected

2.3.7

Introduced

2.4.2-p1

Last affected

2.4.2-p1

Introduced

2.4.2

Last affected

2.4.2