Vulnerability-Lookup

CVE-2021-21022 (GCVE-0-2021-21022)

Vulnerability from cvelistv5 – Published: 2021-02-11 19:29 – Updated: 2024-09-16 17:57

Title

Magento Commerce Incorrect permissions Could Lead To Unauthorized Access

Summary

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.

Severity

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key (CWE-639)

Assigner

adobe

References

1 reference

URL	Tags
https://helpx.adobe.com/security/products/magento…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
Adobe	Magento Commerce	Affected: unspecified , ≤ 2.4.1 (custom) Affected: unspecified , ≤ 2.4.0-p1 (custom) Affected: unspecified , ≤ 2.3.6 (custom) Affected: unspecified , ≤ None (custom)

Date Public

2021-02-09 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:53:23.241Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Magento Commerce",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2.4.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.4.0-p1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.3.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "None",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-02-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "Authorization Bypass Through User-Controlled Key (CWE-639)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-11T19:29:31.000Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
          "ID": "CVE-2021-21022",
          "STATE": "PUBLIC",
          "TITLE": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Magento Commerce",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.4.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.4.0-p1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.3.6"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "None"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Adobe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "None",
            "attackVector": "None",
            "availabilityImpact": "None",
            "baseScore": 5.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "None",
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
              "refsource": "MISC",
              "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2021-21022",
    "datePublished": "2021-02-11T19:29:31.371Z",
    "dateReserved": "2020-12-18T00:00:00.000Z",
    "dateUpdated": "2024-09-16T17:57:55.462Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-21022",
      "date": "2026-05-27",
      "epss": "0.00154",
      "percentile": "0.35635"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*\", \"versionEndExcluding\": \"2.3.6\", \"matchCriteriaId\": \"14B6B496-E849-4935-B3D8-8BDB8DDD59A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*\", \"versionEndExcluding\": \"2.3.6\", \"matchCriteriaId\": \"79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*\", \"matchCriteriaId\": \"F9C60780-1213-4D06-A4C4-CC915C952B7B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*\", \"matchCriteriaId\": \"3CCEDD72-7195-495C-A9B6-9D18BA9756F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*\", \"matchCriteriaId\": \"05F799AA-CDC0-409F-BB7E-CB941D6FB189\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*\", \"matchCriteriaId\": \"600AA27A-D2A8-41C3-8631-74ECF7453E78\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*\", \"matchCriteriaId\": \"67683B07-34CD-4DD2-A6C9-C71733007397\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*\", \"matchCriteriaId\": \"ECA32B69-E9D8-4C01-ACDC-E0F885D937FB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*\", \"matchCriteriaId\": \"80860D39-0D51-47B3-BA92-F473ADA1BBC3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*\", \"matchCriteriaId\": \"2ADFE661-AB9C-4387-AC4F-D14A0717C2B8\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.\"}, {\"lang\": \"es\", \"value\": \"Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una referencia directa a objeto no segura (IDOR) en el m\\u00f3dulo del producto.\u0026#xa0;Una explotaci\\u00f3n con \\u00e9xito podr\\u00eda conllevar a un acceso no autorizado a recursos restringidos\"}]",
      "id": "CVE-2021-21022",
      "lastModified": "2024-11-21T05:47:25.180",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV30\": [{\"source\": \"psirt@adobe.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2021-02-11T20:15:14.327",
      "references": "[{\"url\": \"https://helpx.adobe.com/security/products/magento/apsb21-08.html\", \"source\": \"psirt@adobe.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://helpx.adobe.com/security/products/magento/apsb21-08.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "psirt@adobe.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"psirt@adobe.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-639\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21022\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2021-02-11T20:15:14.327\",\"lastModified\":\"2024-11-21T05:47:25.180\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.\"},{\"lang\":\"es\",\"value\":\"Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una referencia directa a objeto no segura (IDOR) en el m\u00f3dulo del producto.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda conllevar a un acceso no autorizado a recursos restringidos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV30\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*\",\"versionEndExcluding\":\"2.3.6\",\"matchCriteriaId\":\"14B6B496-E849-4935-B3D8-8BDB8DDD59A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*\",\"versionEndExcluding\":\"2.3.6\",\"matchCriteriaId\":\"79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*\",\"matchCriteriaId\":\"F9C60780-1213-4D06-A4C4-CC915C952B7B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*\",\"matchCriteriaId\":\"3CCEDD72-7195-495C-A9B6-9D18BA9756F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*\",\"matchCriteriaId\":\"05F799AA-CDC0-409F-BB7E-CB941D6FB189\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*\",\"matchCriteriaId\":\"600AA27A-D2A8-41C3-8631-74ECF7453E78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*\",\"matchCriteriaId\":\"67683B07-34CD-4DD2-A6C9-C71733007397\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*\",\"matchCriteriaId\":\"ECA32B69-E9D8-4C01-ACDC-E0F885D937FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*\",\"matchCriteriaId\":\"80860D39-0D51-47B3-BA92-F473ADA1BBC3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*\",\"matchCriteriaId\":\"2ADFE661-AB9C-4387-AC4F-D14A0717C2B8\"}]}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/magento/apsb21-08.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://helpx.adobe.com/security/products/magento/apsb21-08.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-100

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Magento. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Adobe	Magento	Magento Commerce et Magento Open Source versions 2.3 antérieures à 2.3.6-p1
	Adobe	Magento	Magento Commerce et Magento Open Source versions 2.4 antérieures à 2.4.2 ou 2.4.1-p1

References

Title

Publication Time

CERTFR-2021-AVI-100

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Adobe	Magento	Magento Commerce et Magento Open Source versions 2.3 antérieures à 2.3.6-p1
	Adobe	Magento	Magento Commerce et Magento Open Source versions 2.4 antérieures à 2.4.2 ou 2.4.1-p1

References

Title

Publication Time

BDU:2021-02525

Vulnerability from fstec - Published: 09.02.2021

Title

Уязвимость программной платформы для разработки и управления онлайн магазинами Magento Commerce, связанная с ошибками авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Description

Уязвимость программной платформы для разработки и управления онлайн магазинами Magento Commerce связана с ошибками авторизации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации

Severity


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vendor

Adobe Systems Inc.

Software Name

Magento Commerce, Magento Open Source

Software Version

до 2.3.6-p1 (Magento Commerce), до 2.4.1-p1 (Magento Commerce), до 2.4.2 (Magento Commerce), до 2.3.6-p1 (Magento Open Source), до 2.4.1-p1 (Magento Open Source), до 2.4.2 (Magento Open Source)

Possible Mitigations

Использование рекомендаций производителя: https://helpx.adobe.com/security/products/magento/apsb21-08.html

Reference

https://helpx.adobe.com/security/products/magento/apsb21-08.html https://nvd.nist.gov/vuln/detail/CVE-2021-21022

CWE

CWE-285

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Adobe Systems Inc.",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 2.3.6-p1 (Magento Commerce), \u0434\u043e 2.4.1-p1 (Magento Commerce), \u0434\u043e 2.4.2 (Magento Commerce), \u0434\u043e 2.3.6-p1 (Magento Open Source), \u0434\u043e 2.4.1-p1 (Magento Open Source), \u0434\u043e 2.4.2 (Magento Open Source)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://helpx.adobe.com/security/products/magento/apsb21-08.html",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "09.02.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "19.05.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "19.05.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-02525",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-21022",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Magento Commerce, Magento Open Source",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043e\u043d\u043b\u0430\u0439\u043d \u043c\u0430\u0433\u0430\u0437\u0438\u043d\u0430\u043c\u0438 Magento Commerce, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f (CWE-285)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043e\u043d\u043b\u0430\u0439\u043d \u043c\u0430\u0433\u0430\u0437\u0438\u043d\u0430\u043c\u0438 Magento Commerce \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://helpx.adobe.com/security/products/magento/apsb21-08.html\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21022",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-285",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,3)"
}

bit-magento-2021-21022

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:00

Modified

2026-03-20 09:47

Summary

Magento Commerce Incorrect permissions Could Lead To Unauthorized Access

Details

Magento versions 2.4.1 (and earlier), 2.4.0 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "magento",
        "purl": "pkg:bitnami/magento"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.6"
            },
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21022"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*",
      "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*",
      "cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*",
      "cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*",
      "cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*",
      "cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*",
      "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*",
      "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*",
      "cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*",
      "cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Magento versions 2.4.1 (and earlier), 2.4.0 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.",
  "id": "BIT-magento-2021-21022",
  "modified": "2026-03-20T09:47:33.381Z",
  "published": "2024-03-06T11:00:59.160Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21022"
    }
  ],
  "schema_version": "1.5.0",
  "summary": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access"
}

CNVD-2021-13924

Vulnerability from cnvd - Published: 2021-03-02

Title

Adobe Magento不安全的直接对象引用漏洞

Description

Adobe Magento是Adobe公司旗下一款用PHP编写的开源电子商务平台。Magento Community Edition是社区版，后改称Magento Open Source，Magento Enterprise Edition是企业版，后改称Magento Commerce。 Adobe Magento存在不安全的直接对象引用漏洞，攻击者可利用该漏洞未经授权访问受限资源。

Severity

中

Patch Name

Adobe Magento不安全的直接对象引用漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://helpx.adobe.com/security/products/magento/apsb21-08.html

Reference

https://helpx.adobe.com/security/products/magento/apsb21-08.html

Impacted products

Name
['Adobe Magento <=2.4.1', 'Adobe Magento <=2.4.0-p1', 'Adobe Magento <=2.3.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21022",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21022"
    }
  },
  "description": "Adobe Magento\u662fAdobe\u516c\u53f8\u65d7\u4e0b\u4e00\u6b3e\u7528PHP\u7f16\u5199\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002Magento Community Edition\u662f\u793e\u533a\u7248\uff0c\u540e\u6539\u79f0Magento Open Source\uff0cMagento Enterprise Edition\u662f\u4f01\u4e1a\u7248\uff0c\u540e\u6539\u79f0Magento Commerce\u3002\n\nAdobe Magento\u5b58\u5728\u4e0d\u5b89\u5168\u7684\u76f4\u63a5\u5bf9\u8c61\u5f15\u7528\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u53d7\u9650\u8d44\u6e90\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://helpx.adobe.com/security/products/magento/apsb21-08.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-13924",
  "openTime": "2021-03-02",
  "patchDescription": "Adobe Magento\u662fAdobe\u516c\u53f8\u65d7\u4e0b\u4e00\u6b3e\u7528PHP\u7f16\u5199\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002Magento Community Edition\u662f\u793e\u533a\u7248\uff0c\u540e\u6539\u79f0Magento Open Source\uff0cMagento Enterprise Edition\u662f\u4f01\u4e1a\u7248\uff0c\u540e\u6539\u79f0Magento Commerce\u3002\r\n\r\nAdobe Magento\u5b58\u5728\u4e0d\u5b89\u5168\u7684\u76f4\u63a5\u5bf9\u8c61\u5f15\u7528\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u53d7\u9650\u8d44\u6e90\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Adobe Magento\u4e0d\u5b89\u5168\u7684\u76f4\u63a5\u5bf9\u8c61\u5f15\u7528\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Adobe Magento \u003c=2.4.1",
      "Adobe Magento \u003c=2.4.0-p1",
      "Adobe Magento \u003c=2.3.6"
    ]
  },
  "referenceLink": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-10",
  "title": "Adobe Magento\u4e0d\u5b89\u5168\u7684\u76f4\u63a5\u5bf9\u8c61\u5f15\u7528\u6f0f\u6d1e"
}

FKIE_CVE-2021-21022

Vulnerability from fkie_nvd - Published: 2021-02-11 20:15 - Updated: 2024-11-21 05:47

Severity

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	psirt@adobe.com	https://helpx.adobe.com/security/products/magento/apsb21-08.html	Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://helpx.adobe.com/security/products/magento/apsb21-08.html	Vendor Advisory

Impacted products

Vendor	Product	Version
magento	magento	*
magento	magento	*
magento	magento	2.3.6
magento	magento	2.3.6
magento	magento	2.4.0
magento	magento	2.4.0
magento	magento	2.4.0
magento	magento	2.4.0
magento	magento	2.4.1
magento	magento	2.4.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*",
              "matchCriteriaId": "14B6B496-E849-4935-B3D8-8BDB8DDD59A3",
              "versionEndExcluding": "2.3.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*",
              "matchCriteriaId": "79C3A2B0-AE14-4D0F-BEE2-82FC00BE6087",
              "versionEndExcluding": "2.3.6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*",
              "matchCriteriaId": "F9C60780-1213-4D06-A4C4-CC915C952B7B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*",
              "matchCriteriaId": "3CCEDD72-7195-495C-A9B6-9D18BA9756F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*",
              "matchCriteriaId": "05F799AA-CDC0-409F-BB7E-CB941D6FB189",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*",
              "matchCriteriaId": "600AA27A-D2A8-41C3-8631-74ECF7453E78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*",
              "matchCriteriaId": "67683B07-34CD-4DD2-A6C9-C71733007397",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*",
              "matchCriteriaId": "ECA32B69-E9D8-4C01-ACDC-E0F885D937FB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*",
              "matchCriteriaId": "80860D39-0D51-47B3-BA92-F473ADA1BBC3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*",
              "matchCriteriaId": "2ADFE661-AB9C-4387-AC4F-D14A0717C2B8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
    },
    {
      "lang": "es",
      "value": "Magento versiones 2.4.1 (y anteriores), versiones 2.4.0-p1 (y anteriores) y versiones 2.3.6 (y anteriores), son vulnerables a una referencia directa a objeto no segura (IDOR) en el m\u00f3dulo del producto.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito podr\u00eda conllevar a un acceso no autorizado a recursos restringidos"
    }
  ],
  "id": "CVE-2021-21022",
  "lastModified": "2024-11-21T05:47:25.180",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "psirt@adobe.com",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-11T20:15:14.327",
  "references": [
    {
      "source": "psirt@adobe.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
    }
  ],
  "sourceIdentifier": "psirt@adobe.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "psirt@adobe.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}

GHSA-8PFQ-G48P-X7W8

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2025-02-10 20:47

Summary

Magento Insecure Direct Object Reference (IDOR) in the product module

Details

Severity

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.6-p1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.1-p1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "magento/project-community-edition"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T20:10:39Z",
    "nvd_published_at": "2021-02-11T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.",
  "id": "GHSA-8pfq-g48p-x7w8",
  "modified": "2025-02-10T20:47:55Z",
  "published": "2022-05-24T17:41:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21022"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/magento/magento2"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento Insecure Direct Object Reference (IDOR) in the product module"
}

GSD-2021-21022

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-21022

Aliases

CVE-2021-21022

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21022",
    "description": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.",
    "id": "GSD-2021-21022"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-21022"
      ],
      "details": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.",
      "id": "GSD-2021-21022",
      "modified": "2023-12-13T01:23:11.247127Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@adobe.com",
        "DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
        "ID": "CVE-2021-21022",
        "STATE": "PUBLIC",
        "TITLE": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Magento Commerce",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_value": "2.4.1"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "2.4.0-p1"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "2.3.6"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_value": "None"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Adobe"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "None",
          "attackVector": "None",
          "availabilityImpact": "None",
          "baseScore": 5.3,
          "baseSeverity": "Medium",
          "confidentialityImpact": "None",
          "integrityImpact": "None",
          "privilegesRequired": "None",
          "scope": "None",
          "userInteraction": "None",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
            "refsource": "MISC",
            "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.3.6||\u003e=2.4.0,\u003c=2.4.1",
          "affected_versions": "All versions after 2.3.6 before 2.3.6, all versions starting from 2.4.0 up to 2.4.1",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-639",
            "CWE-937"
          ],
          "date": "2022-08-19",
          "description": "Magento is vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources.",
          "fixed_versions": [
            "2.3.6",
            "2.4.2"
          ],
          "identifier": "CVE-2021-21022",
          "identifiers": [
            "CVE-2021-21022"
          ],
          "not_impacted": "All versions starting from 2.3.6 before 2.4.0, all versions after 2.4.1",
          "package_slug": "packagist/magento/community-edition",
          "pubdate": "2021-02-11",
          "solution": "Upgrade to versions 2.3.6, 2.4.2 or above.",
          "title": "Improper Authorization",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21022",
            "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
          ],
          "uuid": "cd2983db-d1a2-4252-8984-30f8cb5d1e22"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.3.6",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:open_source:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.4.1:-:*:*:commerce:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:open_source:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:open_source:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.4.0:-:*:*:commerce:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.4.0:p1:*:*:commerce:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:open_source:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:magento:magento:2.3.6:-:*:*:commerce:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "ID": "CVE-2021-21022"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object reference (IDOR) in the product module. Successful exploitation could lead to unauthorized access to restricted resources."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-639"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2022-08-19T11:35Z",
      "publishedDate": "2021-02-11T20:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21022 (GCVE-0-2021-21022)

Solution

Solution

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature