cbcvebase.
CVE-2019-7139
published 2019-04-10

CVE-2019-7139: An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue…

PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.45%
96.4th percentile
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

Affected

13 ranges
VendorProductVersion rangeFixed in
magentocommunity-edition>= 2.1.0 < 2.1.182.1.18
magentocommunity-edition>= 2.2.0 < 2.2.92.2.9
magentocommunity-edition>= 2.3.0 < 2.3.22.3.2
magentomagento< 1.9.4.11.9.4.1
magentomagento
magentomagento
magentomagento
magentomagento>= 1.14.0.0 < 1.14.4.11.14.4.1
magentomagento>= 2.1.0 < 2.1.172.1.17
magentomagento>= 2.2.0 < 2.2.82.2.8
magentomagento>= 2.3.0 < 2.3.12.3.1
magentomagento_commerce
magentomagento_open_source

Detection & IOCsextracted from sources · hover to see the quote

url/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))+OR+(SELECT*FROM+(SELECT+SLEEP((8)))a)%3d1+--+-
url/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=0)%20--%20-
url/catalog/product_frontend_action/synchronize?type_id=recently_products&ids[0][added_at]=&ids[0][product_id][from]=?&ids[0][product_id][to]=)))%20OR%20(SELECT%201%20UNION%20SELECT%202%20FROM%20DUAL%20WHERE%201=1)%20--%20-
path/catalog/product_frontend_action/synchronize
  • Detect CVE-2019-7139 exploitation by monitoring GET requests to /catalog/product_frontend_action/synchronize with type_id=recently_products and SQL injection payloads in the ids[0][product_id][to] parameter (e.g., SLEEP, UNION SELECT, OR constructs with triple closing parentheses).
  • Time-based detection: if the server response duration for a request to the synchronize endpoint is >= 8 seconds AND the Content-Type is application/json, this is a strong indicator of successful time-based SQL injection exploitation.
  • Blind boolean-based detection: compare responses to two requests with WHERE 1=0 vs WHERE 1=1 payloads — a 200 status with body length 2 for the true condition and a 400 status with body length 2 for the false condition indicates successful boolean-based SQLi.
  • Pre-check for Magento presence: confirm the target is a Magento instance by verifying the response body contains 'text/x-magento-init' before probing the vulnerable endpoint.
  • The vulnerability is unauthenticated — no session cookie or authentication token is required. Any unauthenticated GET request to the synchronize endpoint with SQLi payloads should be treated as an attack attempt.
  • Shodan queries for exposed Magento instances that may be vulnerable: http.component:"Magento" or cpe:"cpe:2.3:a:magento:magento".
  • ·The Nuclei template uses a 20-second timeout for the time-based SQLi request (SLEEP(8)); ensure detection infrastructure and WAF/IDS timeout thresholds are set above this value to avoid missing the indicator.
  • ·The template uses a flow gate (http(1) && http(2)) — the SQLi probe is only sent if the initial Magento fingerprint check passes. Standalone IDS rules targeting the SQLi path should not rely on this two-step flow and should fire independently.
  • ·The template is set to stop-at-first-match across the three SQLi request variants; in practice, all three payload variants should be monitored independently in network detection rules since an attacker may use any one of them.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.