Bulletin ID
Last updated on
Jun 13, 2023
Security update available for Adobe Commerce | APSB23-35
|
|
Date Published |
Priority |
|---|---|---|
|
APSB23-35 |
June 13, 2023 |
3 |
Summary
Affected Versions
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce |
2.4.6 and earlier 2.4.5-p2 and earlier 2.4.4-p3 and earlier 2.4.3-ext-2 and earlier* 2.4.2-ext-2 and earlier* 2.4.1-ext-2 and earlier* 2.4.0-ext-2 and earlier* 2.3.7-p4-ext-2 and earlier* |
All |
| Magento Open Source | 2.4.6 and earlier 2.4.5-p2 and earlier 2.4.4-p3 and earlier |
All |
Note: For clarity, the affected versions listed are now listed for each release line instead of only the most recent versions.
* These versions are only applicable to customers participating in the Extended Support Program
Solution
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce |
2.4.6-p1 for 2.4.6 and earlier 2.4.4-p4 for 2.4.4-p3 and earlier |
All |
3 | 2.4.x release notes |
| Magento Open Source |
2.4.6-p1 for 2.4.6 and earlier 2.4.5-p3 for 2.4.5-p2 and earlier 2.4.4-p4 for 2.4.4-p3 and earlier |
All |
3 | |
| Note: * These versions are only applicable to customers participating in the Extended Support Program | ||||
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
CVE number(s) |
|---|---|---|---|---|---|---|---|
| Information Exposure (CWE-200) |
Security feature bypass |
Important | No | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-29287 |
| Incorrect Authorization (CWE-863) |
Security feature bypass |
Moderate | Yes | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2023-29288 |
| XML Injection (aka Blind XPath Injection) (CWE-91) |
Security feature bypass |
Important | Yes | Yes | 6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-29289 |
| Missing Support for Integrity Check (CWE-353) |
Security feature bypass |
Important | No | No | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVE-2023-29290 |
| Server-Side Request Forgery (SSRF) (CWE-918) |
Security feature bypass |
Important | Yes | Yes | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-29291 |
| Server-Side Request Forgery (SSRF) (CWE-918) |
Arbitrary file system read |
Important | Yes | Yes | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-29292 |
| Improper Input Validation (CWE-20) |
Security feature bypass |
Moderate | Yes | Yes | 2.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L |
CVE-2023-29293 |
| Business Logic Errors (CWE-840) |
Security feature bypass |
Moderate | Yes | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2023-29294 |
| Incorrect Authorization (CWE-863) |
Security feature bypass |
Moderate |
Yes | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2023-29295 |
| Incorrect Authorization (CWE-863) |
Security feature bypass |
Moderate | Yes | No | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVE-2023-29296 |
| Cross-site Scripting (Stored XSS) (CWE-79) |
Arbitrary code execution |
Critical | Yes | Yes | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2023-29297 |
| Incorrect Authorization (CWE-863) |
Security feature bypass |
Critical |
No | No | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-22248 |
Note:
Authentication required to exploit: The vulnerability is (or is not) exploitable without credentials.
Exploit requires admin privileges: The vulnerability is (or is not) only exploitable by an attacker with administrative privileges.
Acknowledgements
Adobe would like to thank the following researchers for reporting these issues and working with Adobe to help protect our customers:
- Aliefis Galih (aliefis) - CVE-2023-29289, CVE-2023-29294, CVE-2023-29295
- Sebastien Cantos (truff) - CVE-2023-29291, CVE-2023-29292
- Pieter Zandbergen (pmzandbergen) - CVE-2023-29290
- Tomasz Gregorczyk (silpion) - CVE-2023-29293
- Blaklis (blaklis) - CVE-2023-29297
- Kunal Pandey (kunal94) - CVE-2023-22248
NOTE: Adobe has a private, invite-only, bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please fill out this form for next steps.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.