CVE-2019-7892

HIGH7.2EPSS 0.83%

Magento 2 Community Edition RCE Vulnerability via SSRF

發布日:2022/5/24修改日:2024/2/16

描述

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to access shipment settings can execute arbitrary code via server-side request forgery.

受影響套件(1)

Packagist/magento/community-edition>= 2.1, < 2.1.18

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.2	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-7892
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7892.yaml
WEBhttps://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13