Adobe Security Bulletin

Security update available for Adobe Commerce | APSB22-38

Bulletin ID	Date Published	Priority
APSB22-38	August 9, 2022	3

Summary

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.

Affected Versions

Product	Version	Platform
Adobe Commerce	2.4.3-p2 and earlier versions	All
Adobe Commerce	2.3.7-p3 and earlier versions	All
Adobe Commerce	2.4.4 and earlier versions	All
Magento Open Source	2.4.3-p2 and earlier versions	All
Magento Open Source	2.3.7-p3 and earlier versions	All
Magento Open Source	2.4.4 and earlier versions	All

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product	Updated Version	Platform	Priority Rating	Installation Instructions
Adobe Commerce	2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5	All	3	2.4.x release notes 2.3.x release notes
Magento Open Source	2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5	All	3

Product

Updated Version

Platform

Priority Rating

Installation Instructions

Adobe Commerce

2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5

All

3

2.4.x release notes

2.3.x release notes

Magento Open Source

2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5

All

3

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	Authentication required to exploit?	Exploit requires admin privileges?	CVSS base score	CVSS vector	Magento Bug ID	CVE number(s)
XML Injection (aka Blind XPath Injection) (CWE-91)	Arbitrary code execution	Critical	Yes	Yes	9.1	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	PRODSECBUG-3095	CVE-2022-34253
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)	Arbitrary code execution	Critical	Yes	No	8.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N	PRODSECBUG-3081	CVE-2022-34254
Improper Input Validation (CWE-20)	Privilege escalation	Critical	Yes	No	8.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L	PRODSECBUG-3082	CVE-2022-34255
Improper Authorization (CWE-285)	Privilege escalation	Critical	No	No	8.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N	PRODSECBUG-3093	CVE-2022-34256
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Important	No	No	6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	PRODSECBUG-3079	CVE-2022-34257
Cross-site Scripting (Stored XSS) (CWE-79)	Arbitrary code execution	Moderate	Yes	Yes	3.5	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N	PRODSECBUG-3080	CVE-2022-34258
Improper Access Control (CWE-284)	Security feature bypass	Important	No	No	5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	PRODSECBUG-3180	CVE-2022-34259
Improper Authorization (CWE-285)	Security feature bypass	Moderate	No	No	3.7	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	PRODSECBUG-3151	CVE-2022-35692
Improper Input Validation (CWE-20)	Privilege escalation	Critical	Yes	No	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	PRODSECBUG-3196	CVE-2022-42344

Acknowledgements

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

zb3 (zb3) -- CVE-2022-34253, CVE-2022-34255, CVE-2022-34256
Edgar Boda-Majer (eboda) - CVE-2022-34254, CVE-2022-34257
Salman Khan (salmanbabuzai) - CVE-2022-34258
Axel Flamcourt (axfla) - CVE-2022-34259, CVE-2022-35692
fqdn - CVE-2022-42344

Revisions

October 18, 2022: Added CVE-2022-42344

August 22, 2022: Priority rating revision in Solution table

August 18, 2022: Added CVE-2022-35692

August 12, 2022: Updated values in "Authentication required to exploit" and "Exploit requires admin privileges."

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.