Plattform
php
Komponente
magento/project-community-edition
Behoben in
2.4.5
2.0.3
CVE-2024-39399 describes a Path Traversal vulnerability within the Magento Project Community Edition. This flaw allows an attacker to potentially read arbitrary files outside of the intended restricted directory, leading to data exposure. The vulnerability impacts Magento versions 2.0.2 and earlier, with fixes released in versions 2.4.7-p1, 2.4.6-p6, and 2.4.5-p8.
The primary impact of CVE-2024-39399 is the potential for unauthorized file system access. An attacker exploiting this vulnerability could read configuration files, source code, or other sensitive data stored on the server. This could lead to the exposure of database credentials, API keys, or other confidential information. The lack of user interaction required for exploitation significantly broadens the attack surface, making it easier for attackers to gain access. The scope of the vulnerability is changed, meaning it can affect more areas of the system than initially anticipated.
CVE-2024-39399 was publicly disclosed on August 14, 2024. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation, though no active campaigns or public proof-of-concept exploits have been widely reported as of this writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation activity.
Organizations running Magento Project Community Edition versions 2.0.2 and earlier, particularly those with publicly accessible file directories or weak file access controls, are at significant risk. Shared hosting environments utilizing older Magento installations are also particularly vulnerable due to the potential for cross-tenant exploitation.
• linux / server:
find /var/www/html -type f -name '*config.php*' -print• generic web:
curl -I http://your-magento-site.com/path/to/sensitive/file.txt• php:
Review Magento application code for instances of file path manipulation functions (e.g., realpath, basename, dirname) that might be vulnerable to path traversal attacks.
disclosure
Exploit-Status
EPSS
0.76% (73% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-39399 is to upgrade Magento to a patched version: 2.4.7-p1, 2.4.6-p6, or 2.4.5-p8. Before upgrading, it's crucial to review the Magento release notes for any potential breaking changes and test the upgrade in a staging environment. If a direct upgrade is not feasible, consider implementing stricter file access controls on the server to limit the potential impact of the vulnerability. Monitor access logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to access files outside the intended directory and verifying that access is denied.
Actualice Adobe Commerce a la versión 2.4.7-p1, 2.4.6-p6, 2.4.5-p8 o superior. Esto corrige la vulnerabilidad de path traversal que permite la lectura de archivos locales. Consulte el boletín de seguridad de Adobe para obtener más detalles e instrucciones específicas de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-39399 is a vulnerability allowing attackers to read arbitrary files on a Magento server, potentially exposing sensitive data. It affects versions ≤2.0.2 and has a CVSS score of 7.7 (HIGH).
If you are running Magento Project Community Edition version 2.0.2 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade Magento to version 2.4.7-p1, 2.4.6-p6, or 2.4.5-p8. Review release notes and test in a staging environment before applying the update.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation warrants caution. Monitor security advisories and threat intelligence feeds.
Refer to the official Magento security advisory for detailed information and updates: [https://dev.classmethod.com/en/wordpress/magento-2-4-security-vulnerabilities/](https://dev.classmethod.com/en/wordpress/magento-2-4-security-vulnerabilities/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.