CVE-2019-7885 — Improper Input Validation in Magento

CWE-20 — Improper Input Validation4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 29.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Systems Incorporated Magento 2

Timeline

PublishedAug 2

Latest updateMay 24

Description

Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. This vulnerability could be abused by an authenticated user with the ability to configure the catalog search.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDmagento/magento2.1.0 — 2.1.18+2

▶Packagistmagento/community-edition2.1 — 2.1.18+2

▶CVEListV5adobe_systems_incorporated/magento_2Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2

🔴Vulnerability Details

OSV

Magento 2 Community Edition RCE Vulnerability↗2022-05-24

▶

GHSA

Magento 2 Community Edition RCE Vulnerability↗2022-05-24

▶

CVEList

CVE-2019-7885: Insufficient input validation in the config builder of the Elastic search module could lead to remote code execution in Magento 2↗2019-08-02

▶