CVE-2020-5777

Name of the Vulnerable Software and Affected Versions MAGMI versions prior to 0.7.24

Description The issue allows for a remote authentication bypass due to the use of default credentials when a database connection failure occurs. This failure can be triggered by a remote attacker by sending simultaneous requests to the Magento website, causing a "Too many connections" error. The attacker can then use default basic authentication to bypass authentication. This can happen when the Mysql setting max connections is lower than the Apache setting MaxRequestWorkers.

Recommendations For MAGMI versions prior to 0.7.24, update to version 0.7.24 or later to resolve the issue. As a temporary workaround, consider increasing the Mysql setting max connections to be equal to or higher than the Apache setting MaxRequestWorkers to prevent the "Too many connections" error. Additionally, restrict access to the default magmi:magmi basic authentication credentials to minimize the risk of exploitation.