cbcvebase.
CVE-2020-5777
published 2020-09-01

CVE-2020-5777: MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.90%
97.5th percentile
MAGMI versions prior to 0.7.24 are vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections (default 151) is lower than Apache (or another web server) setting MaxRequestWorkers (formerly MaxClients) (default 256). This can be done by sending at least 151 simultaneous requests to the Magento website to trigger a "Too many connections" error, then use default magmi:magmi basic authentication to remotely bypass authentication.

Affected

3 ranges
VendorProductVersion rangeFixed in
dweevesmagmi>= 0 < 0.7.240.7.24
magmi_projectmagmi< 0.7.240.7.24
magmi_projectmagmi

Detection & IOCsextracted from sources · hover to see the quote

othermagmi:magmi
path/magmi/inc/magmi_auth.php
  • Trigger condition: HTTP 503 response containing the string 'Too many connections' in the body indicates the MySQL max_connections limit has been saturated, enabling the auth bypass fallback in MAGMI.
  • Attack requires sending at least 151 simultaneous requests to exhaust MySQL max_connections (default 151) while keeping Apache MaxRequestWorkers (default 256+) available, then authenticating to MAGMI with default credentials magmi:magmi via HTTP Basic Auth.
  • Shodan queries 'http.component:"Magento"' or 'http.component:"magento"' can be used to identify internet-exposed Magento instances potentially running a vulnerable MAGMI plugin.
  • The authentication bypass fallback logic is located at line 35 of magmi_auth.php; review or monitor this file for the presence of hardcoded default credential acceptance on DB connection failure.
  • ·The DB-DoS attack only succeeds when MySQL max_connections is LESS THAN Apache MaxRequestWorkers. If max_connections >= MaxRequestWorkers, the attack vector is blocked because Apache will exhaust connections before MySQL does.
  • ·Apache versions prior to 2.4.10 had a default MaxRequestWorkers of 150, which is smaller than MySQL's default max_connections of 151, making those older Apache versions NOT vulnerable to this specific attack path.
  • ·A Magento 2 fork of MAGMI also exists and is equally vulnerable; it does not receive the same patch as the original MAGMI 0.7.24 release.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.