Magento up to 2.1.17/2.2.8/2.3.1 Elastic Search Config Remote Code Execution

A vulnerability, which was classified as critical, was found in Magento up to 2.1.17/2.2.8/2.3.1. Affected is an unknown part of the component Elastic Search. The manipulation as part of a Config leads to a privilege escalation vulnerability (Code Execution). CWE is classifying the issue as CWE-269. This is going to have an impact on confidentiality, integrity, and availability.

The weakness was disclosed 08/02/2019. The advisory is available at magento.com. This vulnerability is traded as CVE-2019-7885 since 02/12/2019. It is possible to launch the attack remotely. A single authentication is required for exploitation. The technical details are unknown and an exploit is not available.

Upgrading to version 2.1.18, 2.2.9 or 2.3.2 eliminates this vulnerability.

The entries 139403, 139404, 139412 and 139413 are pretty similar.

Name

• Magento

• 🔒
• 🔒
• 🔒

• 🔒
• 🔒
• 🔒

VulDB Meta Base Score: 6.3
VulDB Meta Temp Score: 6.0

VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔒
VulDB Reliability: 🔍

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Privilege escalation / Code Execution (CWE-269)
Local: No
Remote: Yes

Availability: 🔒
Status: Not defined

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍Recommended: Upgrade
Status: 🔍

0-Day Time: 🔒

Upgrade: Magento 2.1.18/2.2.9/2.3.2

02/12/2019 CVE assigned
08/02/2019 +171 days Advisory disclosed
08/04/2019 +2 days VulDB entry created
08/04/2019 +0 days VulDB last updateAdvisory: magento.com

CVE: CVE-2019-7885 (🔒)
See also: 🔒

Created: 08/04/2019 07:38 AM
Complete: 🔍

Comments

Comments are closed.