CVE-2021-21426
published 2021-04-21CVE-2021-21426: Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a…
PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.20%
64.4th percentile
Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openmage | magento | < 19.4.13 | 19.4.13 |
| openmage | magento | >= 20.0.0 < 20.0.9 | 20.0.9 |
| openmage | magento-lts | <= 19.4.12 | — |
| openmage | magento-lts | >= 0 < 19.4.13 | 19.4.13 |
| openmage | magento-lts | >= 20.0.0 < 20.0.9 | 20.0.9 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fixes a bug in Zend Framework's Stream HTTP Wrapper
osv·2021-04-22·CVSS 9.8
CVE-2021-21426 [CRITICAL] Fixes a bug in Zend Framework's Stream HTTP Wrapper
Fixes a bug in Zend Framework's Stream HTTP Wrapper
### Impact
CVE-2021-3007: Backport of Zend_Http_Response_Stream, added certain type checking as a way to prevent exploitation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007
This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
v20.0.9 v19.4.13
GHSA
Fixes a bug in Zend Framework's Stream HTTP Wrapper
ghsa·2021-04-22·CVSS 9.8
CVE-2021-21426 [CRITICAL] CWE-502 Fixes a bug in Zend Framework's Stream HTTP Wrapper
Fixes a bug in Zend Framework's Stream HTTP Wrapper
### Impact
CVE-2021-3007: Backport of Zend_Http_Response_Stream, added certain type checking as a way to prevent exploitation. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007
This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
v20.0.9 v19.4.13
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-04-21
Published