CVE-2021-21426 – openmage/magento-lts

Package

Manager: composer
Name: openmage/magento-lts
Vulnerable Version: >=0 <19.4.13 || >=20.0.0 <20.0.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00405 pctl0.60232

Details

Fixes a bug in Zend Framework's Stream HTTP Wrapper ### Impact CVE-2021-3007: Backport of Zend_Http_Response_Stream, added certain type checking as a way to prevent exploitation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007 This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array. ### Patches _Has the problem been patched? What versions should users upgrade to?_ v20.0.9 v19.4.13

Metadata

Created: 2021-04-22T16:10:49Z
Modified: 2021-04-30T20:19:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-m496-x567-f98c/GHSA-m496-x567-f98c.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-m496-x567-f98c
Finding: F096
Auto approve: 1