CVE-2024-49521

Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. A low privileged attacker could exploit this vulnerability to send crafted requests from the vulnerable server to internal systems, which could result in the bypassing of security measures such as firewalls. Exploitation of this issue does not require user interaction.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://helpx.adobe.com/security/products/magento/apsb24-90.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:adobe:commerce::::::::
	cpe:2.3:a:adobe:magento:::::open_source:::*

History

No history.

Information

Published : 2024-11-12 17:15

Updated : 2024-11-18 18:44

NVD link : CVE-2024-49521

Mitre link : CVE-2024-49521

CVE.ORG link : CVE-2024-49521

JSON object : View

Products Affected

adobe

magento
commerce

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-49521", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "psirt@adobe.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2024-11-12T17:15:08.783", "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb24-90.html", "tags": ["Vendor Advisory"], "source": "psirt@adobe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@adobe.com", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. A low privileged attacker could exploit this vulnerability to send crafted requests from the vulnerable server to internal systems, which could result in the bypassing of security measures such as firewalls. Exploitation of this issue does not require user interaction."}, {"lang": "es", "value": "Las versiones 3.2.5 y anteriores de Adobe Commerce se ven afectadas por una vulnerabilidad de Server-Side Request Forgery (SSRF) que podr\u00eda provocar la omisi\u00f3n de una funci\u00f3n de seguridad. Un atacante con pocos privilegios podr\u00eda aprovechar esta vulnerabilidad para enviar solicitudes manipuladas a medida desde el servidor vulnerable a sistemas internos, lo que podr\u00eda provocar la omisi\u00f3n de medidas de seguridad como los firewalls. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario."}], "lastModified": "2024-11-18T18:44:32.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2731236-D6E0-497F-8057-4F35A51E174C", "versionEndExcluding": "3.2.6"}, {"criteria": "cpe:2.3:a:adobe:magento:*:*:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "4D88B043-948D-4D45-9B6E-A29FC028C200", "versionEndExcluding": "3.2.6"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@adobe.com"}