CVE-2019-7885 – magento/community-edition

Package

Manager: composer
Name: magento/community-edition
Vulnerable Version: >=2.1 <2.1.18 || >=2.2 <2.2.9 || >=2.3 <2.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00632 pctl0.69429

Details

Magento 2 Community Edition RCE Vulnerability Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.

Metadata

Created: 2022-05-24T16:52:25Z
Modified: 2024-02-12T11:31:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mp9r-rh95-f8f8/GHSA-mp9r-rh95-f8f8.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-mp9r-rh95-f8f8
Finding: F184
Auto approve: 1