PT-2019-18805 · Adobe · Magento

Published

2019-08-02

Updated

2022-05-24

CVE-2019-7885

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Magento 2.1 versions 2.1.0 through 2.1.17 Magento 2.2 versions 2.2.0 through 2.2.8 Magento 2.3 versions 2.3.0 through 2.3.1

Description The issue is related to insufficient input validation in the config builder of the Elastic search module, which could lead to remote code execution. This could be exploited by an authenticated user with the ability to configure the catalog search.

Recommendations For Magento 2.1 versions 2.1.0 through 2.1.17, update to version 2.1.18 or later. For Magento 2.2 versions 2.2.0 through 2.2.8, update to version 2.2.9 or later. For Magento 2.3 versions 2.3.0 through 2.3.1, update to version 2.3.2 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2019-7885

GHSA-MP9R-RH95-F8F8

Affected Products

Magento

PT-2019-18805 · Adobe · Magento

CVE-2019-7885

Weakness Enumeration

Related Identifiers

Affected Products

References · 7