CVE-2019-7932: Code Injection
First published: Tue Jun 25 2019(Updated: )
A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary PHP code by creating a malicious sitemap file.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.1<2.1.18>=2.2<2.2.9>=2.3<2.3.2 | |
| composer/magento/magento1ee | >=1<1.14.4.2 | |
| composer/magento/magento1ce | >=1<1.9.4.2 | |
| composer/magento/community-edition | >=2.3<2.3.2 | 2.3.2 |
| composer/magento/community-edition | >=2.2<2.2.9 | 2.2.9 |
| composer/magento/community-edition | >=2.1<2.1.18 | 2.1.18 |
| CentOS Libgcc | <1.9.4.2 | |
| CentOS Libgcc | <1.14.4.2 | |
| CentOS Libgcc | >=2.1.0<2.1.18 | |
| CentOS Libgcc | >=2.2.0<2.2.9 | |
| CentOS Libgcc | >=2.3.0<2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://nvd.nist.gov/vuln/detail/CVE-2019-7932
- https://web.archive.org/web/20211206084839/https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
- https://github.com/advisories/GHSA-969v-mwp3-4mr3 (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ce/CVE-2019-7932.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/magento1ee/CVE-2019-7932.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-7932.yaml
Frequently Asked Questions
What are the impacts of CVE-2019-7932?
CVE-2019-7932 allows an authenticated user with admin privileges to execute arbitrary PHP code on affected Magento systems.
Which versions of Magento are affected by CVE-2019-7932?
CVE-2019-7932 affects Magento Open Source versions prior to 1.9.4.2 and Magento Commerce versions before 1.14.4.2, along with specific versions of Magento 2.1, 2.2, and 2.3.
How do I remediate CVE-2019-7932?
To fix CVE-2019-7932, update Magento to the patched versions: Magento Open Source 1.9.4.2 or later, 2.1.18 or later, 2.2.9 or later, or 2.3.2 or later.
What type of vulnerability is CVE-2019-7932 classified as?
CVE-2019-7932 is classified as a remote code execution vulnerability.
Can an attacker exploit CVE-2019-7932 without authentication?
No, an attacker needs to have admin privileges to exploit CVE-2019-7932.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-969v-mwp3-4mr3
- alias/CVE-2019-7932
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0