CVE-2023-29291

Name of the Vulnerable Software and Affected Versions Adobe Commerce versions 2.4.6 and earlier Adobe Commerce versions 2.4.5-p2 and earlier Adobe Commerce versions 2.4.4-p3 and earlier

Description The issue is related to a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. An admin-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. The vulnerability is associated with insufficient checking of incoming requests on the server side, which may allow a remote attacker to perform an SSRF attack.

Recommendations For Adobe Commerce versions 2.4.6 and earlier, update to a version that includes a fix for this issue. For Adobe Commerce versions 2.4.5-p2 and earlier, update to a version that includes a fix for this issue. For Adobe Commerce versions 2.4.4-p3 and earlier, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the application to minimize the risk of exploitation.