cnvd - cnvd-2021-13920

CNVD-2021-13920

Vulnerability from cnvd - Published: 2021-03-02

Title

Adobe Magento不当授权漏洞（CNVD-2021-13920）

Description

Adobe Magento是Adobe公司旗下一款用PHP编写的开源电子商务平台。Magento Community Edition是社区版，后改称Magento Open Source，Magento Enterprise Edition是企业版，后改称Magento Commerce。 Adobe Magento存在不当授权漏洞，攻击者可利用该漏洞未经授权访问受限资源。

Severity

中

Patch Name

Adobe Magento不当授权漏洞（CNVD-2021-13920）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://helpx.adobe.com/security/products/magento/apsb21-08.html

Reference

https://helpx.adobe.com/security/products/magento/apsb21-08.html

Impacted products

Name
['Adobe Magento <=2.4.1', 'Adobe Magento <=2.4.0-p1', 'Adobe Magento <=2.3.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-21026",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21026"
    }
  },
  "description": "Adobe Magento\u662fAdobe\u516c\u53f8\u65d7\u4e0b\u4e00\u6b3e\u7528PHP\u7f16\u5199\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002Magento Community Edition\u662f\u793e\u533a\u7248\uff0c\u540e\u6539\u79f0Magento Open Source\uff0cMagento Enterprise Edition\u662f\u4f01\u4e1a\u7248\uff0c\u540e\u6539\u79f0Magento Commerce\u3002\n\nAdobe Magento\u5b58\u5728\u4e0d\u5f53\u6388\u6743\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u53d7\u9650\u8d44\u6e90\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://helpx.adobe.com/security/products/magento/apsb21-08.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-13920",
  "openTime": "2021-03-02",
  "patchDescription": "Adobe Magento\u662fAdobe\u516c\u53f8\u65d7\u4e0b\u4e00\u6b3e\u7528PHP\u7f16\u5199\u7684\u5f00\u6e90\u7535\u5b50\u5546\u52a1\u5e73\u53f0\u3002Magento Community Edition\u662f\u793e\u533a\u7248\uff0c\u540e\u6539\u79f0Magento Open Source\uff0cMagento Enterprise Edition\u662f\u4f01\u4e1a\u7248\uff0c\u540e\u6539\u79f0Magento Commerce\u3002\r\n\r\nAdobe Magento\u5b58\u5728\u4e0d\u5f53\u6388\u6743\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u672a\u7ecf\u6388\u6743\u8bbf\u95ee\u53d7\u9650\u8d44\u6e90\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Adobe Magento\u4e0d\u5f53\u6388\u6743\u6f0f\u6d1e\uff08CNVD-2021-13920\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Adobe Magento \u003c=2.4.1",
      "Adobe Magento \u003c=2.4.0-p1",
      "Adobe Magento \u003c=2.3.6"
    ]
  },
  "referenceLink": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-10",
  "title": "Adobe Magento\u4e0d\u5f53\u6388\u6743\u6f0f\u6d1e\uff08CNVD-2021-13920\uff09"
}

CVE-2021-21026 (GCVE-0-2021-21026)

Vulnerability from cvelistv5 – Published: 2021-02-11 19:29 – Updated: 2024-09-16 20:17

Summary

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-285 - Improper Authorization (CWE-285)

Assigner

adobe

References

URL

Tags

https://helpx.adobe.com/security/products/magento…

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Adobe	Magento Commerce	Affected: unspecified , ≤ 2.4.1 (custom) Affected: unspecified , ≤ 2.4.0-p1 (custom) Affected: unspecified , ≤ 2.3.6 (custom) Affected: unspecified , ≤ None (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:01:13.691Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Magento Commerce",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2.4.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.4.0-p1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.3.6",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "None",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-02-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "Improper Authorization (CWE-285)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-11T19:29:31",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@adobe.com",
          "DATE_PUBLIC": "2021-02-09T23:00:00.000Z",
          "ID": "CVE-2021-21026",
          "STATE": "PUBLIC",
          "TITLE": "Magento Commerce Incorrect permissions Could Lead To Unauthorized Access"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Magento Commerce",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.4.1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.4.0-p1"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2.3.6"
                          },
                          {
                            "version_affected": "\u003c=",
                            "version_value": "None"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Adobe"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are affected by an improper authorization vulnerability in the integrations module. Successful exploitation could lead to unauthorized access to restricted resources by an unauthenticated attacker. Access to the admin console is required for successful exploitation."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "None",
            "attackVector": "None",
            "availabilityImpact": "None",
            "baseScore": 5.3,
            "baseSeverity": "Medium",
            "confidentialityImpact": "None",
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "None",
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Authorization (CWE-285)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html",
              "refsource": "MISC",
              "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2021-21026",
    "datePublished": "2021-02-11T19:29:31.581101Z",
    "dateReserved": "2020-12-18T00:00:00",
    "dateUpdated": "2024-09-16T20:17:11.549Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-13920

CVE-2021-21026 (GCVE-0-2021-21026)

Tags

Sightings

Nomenclature