CVE-2019-8122
First published: Tue Oct 08 2019(Updated: )
A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/magento/product-community-edition | >=2.2<2.2.10>=2.3<2.3.2-p2 | |
| composer/magento/community-edition | >=2.3.0<2.3.3 | 2.3.3 |
| composer/magento/community-edition | >=2.2.0<2.2.10 | 2.2.10 |
| composer/magento/community-edition | >=2.1.0<2.1.19 | 2.1.19 |
| CentOS Libgcc | >=2.1.0<2.1.19 | |
| CentOS Libgcc | >=2.1.0<2.1.19 | |
| CentOS Libgcc | >=2.2.0<2.2.10 | |
| CentOS Libgcc | >=2.2.0<2.2.10 | |
| CentOS Libgcc | >=2.3.0<=2.3.2 | |
| CentOS Libgcc | >=2.3.0<=2.3.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
- https://nvd.nist.gov/vuln/detail/CVE-2019-8122
- https://web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update
- https://github.com/advisories/GHSA-5v5p-x8c2-mqxp (Advisory)
- https://github.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2019-8122.yaml
Frequently Asked Questions
What is the severity of CVE-2019-8122?
CVE-2019-8122 is classified as a critical remote code execution vulnerability affecting specific versions of Magento.
How do I fix CVE-2019-8122?
To fix CVE-2019-8122, upgrade Magento to version 2.1.19, 2.2.10, or 2.3.3 or later.
Who is affected by CVE-2019-8122?
CVE-2019-8122 affects authenticated users with privileges to create products on Magento versions prior to the recommended fixed versions.
What can attackers achieve with CVE-2019-8122?
Attackers exploiting CVE-2019-8122 can perform remote code execution, potentially compromising the security of the Magento installation.
Is CVE-2019-8122 present in all Magento installations?
No, CVE-2019-8122 is only present in specific affected versions of Magento prior to the security updates.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5v5p-x8c2-mqxp
- alias/CVE-2019-8122
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/description
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/magento
- canonical/centos libgcc
- version/centos libgcc/2.1.0
- version/centos libgcc/2.2.0
- version/centos libgcc/2.3.0
- version/centos libgcc/2.3.2