CVE-2019-7930: Malicious File Upload
First published: Tue Jun 25 2019(Updated: )
A file upload restriction bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with administrator privileges to the import feature can make modifications to a configuration file, resulting in potentially unauthorized removal of file upload restrictions. This can result in arbitrary code execution when a malicious file is then uploaded and executed on the system.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/community-edition | >=2.3<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1<2.1.18 | 2.1.18 |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://nvd.nist.gov/vuln/detail/CVE-2019-7930
- https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/advisories/GHSA-3h69-4frw-g2jm (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7930.yaml
Frequently Asked Questions
What is the severity of CVE-2019-7930?
CVE-2019-7930 has a medium severity rating that could allow an authenticated user to bypass file upload restrictions.
How do I fix CVE-2019-7930?
To fix CVE-2019-7930, you should upgrade Magento to version 2.1.18, 2.2.9, or 2.3.2, which addresses this vulnerability.
What systems are affected by CVE-2019-7930?
CVE-2019-7930 affects Magento versions 2.1 prior to 2.1.18, 2.2 prior to 2.2.9, and 2.3 prior to 2.3.2.
Who can exploit CVE-2019-7930?
CVE-2019-7930 can be exploited by authenticated users with administrator privileges in Magento.
What risks are associated with CVE-2019-7930?
Exploitation of CVE-2019-7930 could lead to unauthorized modifications to configuration files and potentially compromise the integrity of the Magento application.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3h69-4frw-g2jm
- alias/CVE-2019-7930
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0