CVE-2021-36032: Magento Commerce Improper Input Validation Could Lead To Information Exposure and Privilege Escalation
First published: Wed Sep 01 2021(Updated: )
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe Adobe Commerce | >=2.3.0<=2.3.7 | |
| Adobe Adobe Commerce | >=2.4.0<=2.4.2 | |
| Adobe Adobe Commerce | =2.4.2-p1 | |
| Adobe Magento Open Source | >=2.3.0<=2.3.7 | |
| Adobe Magento Open Source | >=2.4.0<=2.4.2 | |
| Adobe Magento Open Source | =2.4.2-p1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-36032?
CVE-2021-36032 is an improper input validation vulnerability in Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier).
How can an attacker exploit CVE-2021-36032?
An attacker with authentication can exploit CVE-2021-36032 by triggering an insecure direct object reference in the 'V1/customers/me' endpoint, resulting in information exposure and potential privilege escalation.
What is the severity of CVE-2021-36032?
CVE-2021-36032 has a severity score of 8.8 (high) out of 10.0.
Which versions of Magento Commerce are affected by CVE-2021-36032?
Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier), and 2.3.7 (and earlier) are affected by CVE-2021-36032.
Where can I find more information about CVE-2021-36032?
For more information about CVE-2021-36032, you can visit the following reference: [Adobe Security Bulletin APSB21-64](https://helpx.adobe.com/security/products/magento/apsb21-64.html).
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/last-modified-date
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/title
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/adobe
- canonical/adobe adobe commerce
- version/adobe adobe commerce/2.3.0
- version/adobe adobe commerce/2.3.7
- version/adobe adobe commerce/2.4.0
- version/adobe adobe commerce/2.4.2
- version/adobe adobe commerce/2.4.2-p1
- canonical/adobe magento open source
- version/adobe magento open source/2.3.0
- version/adobe magento open source/2.3.7
- version/adobe magento open source/2.4.0
- version/adobe magento open source/2.4.2
- version/adobe magento open source/2.4.2-p1