Adobe Security Bulletin

Adobe Security Bulletin

Search
User Guide

On this page

Applies to: Digital Editions

某些 Creative Cloud 应用程序、服务和功能在中国不可用。

Security Updates Available for Magento | APSB20-22
Bulletin ID Date Published Priority
ASPB20-22
 April 28, 2020      
 2

Summary

Magento has released updates for Magento Commerce and Open Source editions.  These updates resolve vulnerabilities rated Critical, Important and Moderate (severity ratings).  Successful exploitation could lead to arbitrary code execution.    

Affected Versions

Product Version Platform
Magento Commerce 

 2.3.4 and earlier versions    

 All
Magento Open Source   

 2.3.4 and earlier versions    

 All
Magento Commerce 

 2.2.11 and earlier versions (see note)

 All
Magento Open Source  

 2.2.11 and earlier versions (see note)

 All
Magento Enterprise Edition    

 1.14.4.4 and earlier versions    

 All
Magento Community Edition  

 1.9.4.4 and earlier versions

 All

Note:

Magento 2.2x reached end of support on December 31, 2019.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product Version Platform Priority Rating Availability
Magento Commerce    
 2.3.4-p2 All 2 2.3.4-p2 Commerce
Magento Open Source    
 2.3.4-p2 All
 2

2.3.4-p2 Open Source
Magento Commerce    
 2.3.5-p1 All
 2
 2.3.5 Commerce
Magento Open Source    
 2.3.5-p1 All
 2
 2.3.5 Open Source
Magento Enterprise Edition    
 1.14.4.5 All
 2
 1.14.4.5
Magento Community Edition    
 1.9.4.5 All
 2
 1.9.4.5

Note:

Magento Commerce 2.2.12 is available exclusively to extended support Commerce customers.

Vulnerability details

Vulnerability Category Vulnerability Impact Severity Pre-authentication? Admin privileges required?

 Magento Bug ID CVE numbers
Command injection



 Arbitrary code execution



 Critical



 No Yes PRODSECBUG-2707



 CVE-2020-9576
Stored cross-site scripting    



 Sensitive information disclosure    



 Important Yes



 No PRODSECBUG-2671



 CVE-2020-9577 
Command injection



 Arbitrary code execution



 Critical 



 No Yes PRODSECBUG-2695



 CVE-2020-9578  
Security mitigation bypass



 Arbitrary code execution



 Critical



 No



 Yes



 PRODSECBUG-2696



 CVE-2020-9579
Security mitigation bypass



 Arbitrary code execution Critical



 No



 Yes



 PRODSECBUG-2697



 CVE-2020-9580
Stored cross-site scripting



 Sensitive information disclosure



 Important



 No



 Yes



 PRODSECBUG-2700



 CVE-2020-9581
Command injection



 Arbitrary code execution



 Critical



 No



 Yes



 PRODSECBUG-2708



 CVE-2020-9582
Command injection



 Arbitrary code execution



 Critical



 No



 Yes



 PRODSECBUG-2710



 CVE-2020-9583
Stored cross-site scripting



 Sensitive information disclosure



 Important



 Yes



 No



 PRODSECBUG-2715



 CVE-2020-9584
Defense-in-depth security mitigation



 Arbitrary code execution



 Moderate



 No



 Yes



 PRODSECBUG-2541



 CVE-2020-9585
Defense-in-depth security mitigation



 Unauthorized access to admin panel



 Moderate



 Yes Yes



 MPERF-10898



 CVE-2020-9591
Authorization bypass



 Potentially unauthorized product discounts



 Moderate



 Yes



 No



 PRODSECBUG-2518



 CVE-2020-9587
Observable Timing Discrepancy Signature verification bypass



 Important



 No



 Yes



 PRODSECBUG-2677



 CVE-2020-9588
Business logic error Privilege escalation Important No Yes PRODSECBUG-2722 CVE-2020-9630
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2703 CVE-2020-9631
Security mitigation bypass Arbitrary code execution Critical No Yes PRODSECBUG-2704 CVE-2020-9632

Note:

1.     CVE-2020-9585 is mitigated in default installs

2.     CVE-2020-9591 exclusively impacts Magento 1

Note:

Pre-authentication:  The vulnerability is exploitable without credentials.   

Admin privileges required:  The vulnerability is only exploitable by an attacker with administrative privileges.  

Acknowledgments

Adobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:  

  • Blaklis (CVE-2020-9576, CVE-2020-9579, CVE-2020-9581, CVE-2020-9582, CVE-2020-9583, CVE-2020-9584)
  • Flatmoon (CVE-2020-9577)
  • Y0natan (CVE-2020-9578)
  • Edgar Boda-Majer (CVE-2020-9580)
  • Qubitz (CVE-2020-9585)
  • Magnusg (CVE-2020-9587)
  • Wasin Sae-ngow (CVE-2020-9588)
  • Max Chadwick (CVE-2020-9630)

 

Revisions

May 4, 2020: Removed acknowledgement for CVE-2020-9586.

May 7, 2020: Added CVE-2020-9630, which was inadvertently omitted from original version. 

May 12, 2020: Added CVE-2020-9631 and CVE-2020-9632, which were inadvertently omitted from original version.