GHSA-crv7-r357-gw3w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-crv7-r357-gw3w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-crv7-r357-gw3w/GHSA-crv7-r357-gw3w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-crv7-r357-gw3w
- Aliases
- Published
- 2022-05-24T17:00:24Z
- Modified
- 2024-02-16T08:19:12.840033Z
- Severity
-
- 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Magento 2 Community Edition RCE Vulnerability
- Details
-
A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.
As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.
- Database specific
{ "nvd_published_at": "2019-11-05T23:15:00Z", "cwe_ids": [ "CWE-434" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-07-18T20:03:58Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-8114
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-8114.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-8114.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8114.yaml
- https://github.com/magento/magento2
- https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
- https://web.archive.org/web/20211209030216/https://magento.com/security/patches/supee-11219
Affected packages
Packagist / magento/community-edition
Package
- Name
- magento/community-edition
- Purl
- pkg:composer/magento/community-edition
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.9.4.3
Affected versions
0.*
0.1.0-alpha89
0.1.0-alpha90
0.1.0-alpha91
0.1.0-alpha92
0.1.0-alpha93
0.1.0-alpha94
0.1.0-alpha95
0.1.0-alpha96
0.1.0-alpha97
0.1.0-alpha98
0.1.0-alpha99
0.1.0-alpha100
0.1.0-alpha101
0.1.0-alpha102
0.1.0-alpha103
0.1.0-alpha104
0.1.0-alpha105
0.1.0-alpha106
0.1.0-alpha107
0.1.0-alpha108
0.42.0-beta1
0.42.0-beta2
0.42.0-beta3
0.42.0-beta4
0.42.0-beta5
0.42.0-beta6
0.42.0-beta7
0.42.0-beta8
0.42.0-beta9
0.42.0-beta10
0.42.0-beta11
0.74.0-beta1
0.74.0-beta2
0.74.0-beta3
0.74.0-beta4
0.74.0-beta5
0.74.0-beta6
0.74.0-beta7
0.74.0-beta8
0.74.0-beta9
0.74.0-beta10
0.74.0-beta11
0.74.0-beta12
0.74.0-beta13
0.74.0-beta14
0.74.0-beta15
0.74.0-beta16
1.*
1.0.0-beta
1.0.0-beta2
1.0.0-beta3
1.0.0-beta4
1.0.0-beta5
1.0.0-beta6
Packagist / magento/community-edition
Package
- Name
- magento/community-edition
- Purl
- pkg:composer/magento/community-edition
Packagist / magento/community-edition
Package
- Name
- magento/community-edition
- Purl
- pkg:composer/magento/community-edition