New RCE flaw added to Adobe Commerce, Magento security advisory | ZDNet

Adobe has updated its advisory on an actively-exploited critical vulnerability in the Magento and Commerce Open Source platforms to include another RCE bug.

The tech giant published revisions to the advisory on February 17. 

Adobe originally issued an out-of-band patch on February 13 to resolve CVE-2022-24086, a critical pre-auth vulnerability that can be exploited by attackers to remotely execute arbitrary code. 

CVE-2022-24086 has been issued a CVSS severity score of 9.8. Adobe said the security flaw was being actively exploited “in very limited attacks targeting Adobe Commerce merchants.”

Now, Adobe has added a further vulnerability to the advisory, CVE-2022-24087

“We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087),” Adobe said. 

The vulnerability has also been issued a CVSS score of 9.8 and impacts the same products in the same manner. 

The security flaws do not require any administrative privileges to trigger and both are described as improper input validation bugs leading to remote code execution (RCE).

As CVE-2022-24086 is being abused in the wild, Adobe has not released any further technical details. However, cybersecurity researchers from the Positive Technologies Offensive Team say they have been able to reproduce the vulnerability.

Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2, and 2.4.0 – 2.4.3-p1 are impacted. However, versions 2.3.0 to 2.3.3 are not affected by the vulnerabilities, according to the company. 

Adobe has provided a guide for users to manually install the necessary security patches. 

Researchers Eboda and Blaklis were credited with the discovery of CVE-2022-24087. In a tweet, Blaklis said the first patch to resolve CVE-2022-24086 is “not sufficient” and has urged Magento & Commerce users to apply the new fixes. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.