What is the severity of CVE-2023-38220?

CVE-2023-38220 has been classified as a high severity vulnerability due to its potential to bypass security features and access unauthorized data.

How do I fix CVE-2023-38220?

To fix CVE-2023-38220, you should update your Adobe Commerce to version 2.4.7 or 2.4.6-p3 and later, or apply the latest security patches.

What types of Adobe Commerce versions are affected by CVE-2023-38220?

Affected versions include Adobe Commerce 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier, and 2.4.4-p5 and earlier.

Can CVE-2023-38220 be exploited remotely?

Yes, CVE-2023-38220 can be exploited remotely by an attacker to gain access to unauthorized data.

What potential impact does CVE-2023-38220 have?

The impact of CVE-2023-38220 includes data breaches and unauthorized access to sensitive information in affected Adobe Commerce installations.

Vulnerability/
CVE-2023-38220

high

7.5

CWE

285

13/10/2023

4/3/2025

CVE-2023-38220: Full page cache enumeration via cookie X-Magento-Vary

First published: Fri Oct 13 2023(Updated: )

Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Authorization vulnerability that could lead in a security feature bypass in a way that an attacker could access unauthorised data. Exploitation of this issue does not require user interaction.

Credit: psirt@adobe.com

Affected Software	Affected Version	How to fix
composer/magento/project-community-edition	<=2.0.2
composer/magento/community-edition	>=2.4.4-p1<2.4.4-p6	2.4.4-p6
composer/magento/community-edition	>=2.4.5-p1<2.4.5-p5	2.4.5-p5
composer/magento/community-edition	>=2.4.6-p1<2.4.6-p3	2.4.6-p3
composer/magento/community-edition	=2.4.4
composer/magento/community-edition	=2.4.5
composer/magento/community-edition	=2.4.6
composer/magento/community-edition	=2.4.7-beta1	2.4.7-beta2
Adobe Magento Commerce	=2.3.7
Adobe Magento Commerce	=2.3.7-p1
Adobe Magento Commerce	=2.3.7-p2
Adobe Magento Commerce	=2.3.7-p3
Adobe Magento Commerce	=2.3.7-p4
Adobe Magento Commerce	=2.3.7-p4-ext1
Adobe Magento Commerce	=2.3.7-p4-ext2
Adobe Magento Commerce	=2.3.7-p4-ext3
Adobe Magento Commerce	=2.3.7-p4-ext4
Adobe Magento Commerce	=2.4.0
Adobe Magento Commerce	=2.4.0-ext-1
Adobe Magento Commerce	=2.4.0-ext-2
Adobe Magento Commerce	=2.4.0-ext-3
Adobe Magento Commerce	=2.4.0-ext-4
Adobe Magento Commerce	=2.4.1
Adobe Magento Commerce	=2.4.1-ext-1
Adobe Magento Commerce	=2.4.1-ext-2
Adobe Magento Commerce	=2.4.1-ext-3
Adobe Magento Commerce	=2.4.1-ext-4
Adobe Magento Commerce	=2.4.2
Adobe Magento Commerce	=2.4.2-ext-1
Adobe Magento Commerce	=2.4.2-ext-2
Adobe Magento Commerce	=2.4.2-ext-3
Adobe Magento Commerce	=2.4.2-ext-4
Adobe Magento Commerce	=2.4.3
Adobe Magento Commerce	=2.4.3-ext-1
Adobe Magento Commerce	=2.4.3-ext-2
Adobe Magento Commerce	=2.4.3-ext-3
Adobe Magento Commerce	=2.4.3-ext-4
Adobe Magento Commerce	=2.4.4
Adobe Magento Commerce	=2.4.4-p1
Adobe Magento Commerce	=2.4.4-p2
Adobe Magento Commerce	=2.4.4-p3
Adobe Magento Commerce	=2.4.4-p4
Adobe Magento Commerce	=2.4.4-p5
Adobe Magento Commerce	=2.4.5
Adobe Magento Commerce	=2.4.5-p1
Adobe Magento Commerce	=2.4.5-p2
Adobe Magento Commerce	=2.4.5-p3
Adobe Magento Commerce	=2.4.5-p4
Adobe Magento Commerce	=2.4.5-p5
Adobe Magento Commerce	=2.4.6
Adobe Magento Commerce	=2.4.6-p1
Adobe Magento Commerce	=2.4.6-p2
Adobe Magento Commerce	=2.4.7-b1
Magento	=2.4.4
Magento	=2.4.4-p1
Magento	=2.4.4-p2
Magento	=2.4.4-p3
Magento	=2.4.5
Magento	=2.4.5-p1
Magento	=2.4.5-p2
Magento	=2.4.5-p3
Magento	=2.4.5-p4
Magento	=2.4.6
Magento	=2.4.6-p1
Magento	=2.4.6-p2
Magento	=2.4.7-b1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-38220?
CVE-2023-38220 has been classified as a high severity vulnerability due to its potential to bypass security features and access unauthorized data.
How do I fix CVE-2023-38220?
To fix CVE-2023-38220, you should update your Adobe Commerce to version 2.4.7 or 2.4.6-p3 and later, or apply the latest security patches.
What types of Adobe Commerce versions are affected by CVE-2023-38220?
Affected versions include Adobe Commerce 2.4.7-beta1 and earlier, 2.4.6-p2 and earlier, 2.4.5-p4 and earlier, and 2.4.4-p5 and earlier.
Can CVE-2023-38220 be exploited remotely?
Yes, CVE-2023-38220 can be exploited remotely by an attacker to gain access to unauthorized data.
What potential impact does CVE-2023-38220 have?
The impact of CVE-2023-38220 includes data breaches and unauthorized access to sensitive information in affected Adobe Commerce installations.

agent/type
agent/weakness
agent/description
agent/author
collector/mitre-cve
source/MITRE
agent/severity
agent/title
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-grc6-r6f8-xj7c
alias/CVE-2023-38220
agent/software-canonical-lookup
agent/last-modified-date
agent/references
agent/source
agent/softwarecombine
collector/github-advisory
agent/tags
agent/event
collector/nvd-api
agent/software-canonical-lookup-request
collector/nvd-index
collector/nvd-cve
source/NVD
package-manager/composer
vendor/adobe
canonical/adobe magento commerce
version/adobe magento commerce/2.3.7
version/adobe magento commerce/2.3.7-p1
version/adobe magento commerce/2.3.7-p2
version/adobe magento commerce/2.3.7-p3
version/adobe magento commerce/2.3.7-p4
version/adobe magento commerce/2.3.7-p4-ext1
version/adobe magento commerce/2.3.7-p4-ext2
version/adobe magento commerce/2.3.7-p4-ext3
version/adobe magento commerce/2.3.7-p4-ext4
version/adobe magento commerce/2.4.0
version/adobe magento commerce/2.4.0-ext-1
version/adobe magento commerce/2.4.0-ext-2
version/adobe magento commerce/2.4.0-ext-3
version/adobe magento commerce/2.4.0-ext-4
version/adobe magento commerce/2.4.1
version/adobe magento commerce/2.4.1-ext-1
version/adobe magento commerce/2.4.1-ext-2
version/adobe magento commerce/2.4.1-ext-3
version/adobe magento commerce/2.4.1-ext-4
version/adobe magento commerce/2.4.2
version/adobe magento commerce/2.4.2-ext-1
version/adobe magento commerce/2.4.2-ext-2
version/adobe magento commerce/2.4.2-ext-3
version/adobe magento commerce/2.4.2-ext-4
version/adobe magento commerce/2.4.3
version/adobe magento commerce/2.4.3-ext-1
version/adobe magento commerce/2.4.3-ext-2
version/adobe magento commerce/2.4.3-ext-3
version/adobe magento commerce/2.4.3-ext-4
version/adobe magento commerce/2.4.4
version/adobe magento commerce/2.4.4-p1
version/adobe magento commerce/2.4.4-p2
version/adobe magento commerce/2.4.4-p3
version/adobe magento commerce/2.4.4-p4
version/adobe magento commerce/2.4.4-p5
version/adobe magento commerce/2.4.5
version/adobe magento commerce/2.4.5-p1
version/adobe magento commerce/2.4.5-p2
version/adobe magento commerce/2.4.5-p3
version/adobe magento commerce/2.4.5-p4
version/adobe magento commerce/2.4.5-p5
version/adobe magento commerce/2.4.6
version/adobe magento commerce/2.4.6-p1
version/adobe magento commerce/2.4.6-p2
version/adobe magento commerce/2.4.7-b1
canonical/magento
version/magento/2.4.4
version/magento/2.4.4-p1
version/magento/2.4.4-p2
version/magento/2.4.4-p3
version/magento/2.4.5
version/magento/2.4.5-p1
version/magento/2.4.5-p2
version/magento/2.4.5-p3
version/magento/2.4.5-p4
version/magento/2.4.6
version/magento/2.4.6-p1
version/magento/2.4.6-p2
version/magento/2.4.7-b1