GHSA-2fhr-f6q6-c4p2

Source

https://github.com/advisories/GHSA-2fhr-f6q6-c4p2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2fhr-f6q6-c4p2

Aliases

CVE-2019-7950

Published

2022-05-24T16:52:29Z

Modified

2024-02-16T08:24:53.221240Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Magento 2 Community Edition Access Control Bypass

Details

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

Database specific

{
    "nvd_published_at": "2019-08-02T22:15:00Z",
    "cwe_ids": [
        "CWE-639"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T18:42:33Z"
}

References

Affected packages

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.18

Affected versions

2.*

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

2.2.9

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

Packagist / magento/community-edition

Package

Name: magento/community-edition
Purl: pkg:composer/magento/community-edition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.2

Affected versions

2.*

2.3.0

2.3.1