First published: Tue Jun 25 2019(Updated: )
Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.
Credit: psirt@adobe.com
Affected Software | Affected Version | How to fix |
---|---|---|
composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
composer/magento/community-edition | >=2.3<2.3.2 | 2.3.2 |
composer/magento/community-edition | >=2.2<2.2.9 | 2.2.9 |
composer/magento/community-edition | >=2.1<2.1.18 | 2.1.18 |
Adobe Magento | >=2.1.0<2.1.18 | |
Adobe Magento | >=2.2.0<2.2.9 | |
Adobe Magento | >=2.3.0<2.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-7885 is considered a critical vulnerability due to its potential for remote code execution.
To fix CVE-2019-7885, upgrade your Magento instance to version 2.1.18, 2.2.9, or 2.3.2 or later.
CVE-2019-7885 affects Magento versions 2.1.x prior to 2.1.18, 2.2.x prior to 2.2.9, and 2.3.x prior to 2.3.2.
CVE-2019-7885 requires authentication to exploit, specifically by users with the ability to configure the Elasticsearch module.
The impact of CVE-2019-7885 includes the potential for attackers to execute arbitrary code on affected Magento installations.