Plattform
adobe
Komponente
adobe-commerce
Behoben in
2.4.5
CVE-2024-45115 represents an Improper Authentication vulnerability within Adobe Commerce. This flaw allows an attacker to potentially escalate privileges, leading to unauthorized access and control within the application. The vulnerability impacts versions 0 through 2.4.4-p10 of Adobe Commerce. Adobe has released patches for versions 2.4.5-p9, 2.4.6-p7, and 2.4.7-p2.
The Improper Authentication vulnerability in Adobe Commerce allows attackers to bypass authentication mechanisms and gain elevated privileges. This could enable them to access sensitive data, modify system configurations, or even take complete control of the affected Commerce instance. The lack of user interaction required for exploitation significantly broadens the attack surface, making it easier for malicious actors to compromise systems. A successful exploit could lead to data breaches, service disruption, and reputational damage. Given the critical nature of Adobe Commerce for many businesses, the potential impact is substantial.
CVE-2024-45115 was publicly disclosed on October 10, 2024. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and ease of exploitation suggest it is likely a target for attackers. The absence of user interaction makes it particularly attractive. It is not currently listed on the CISA KEV catalog, but its severity warrants close monitoring. Public proof-of-concept exploits are not yet available, but the vulnerability's nature suggests they are likely to emerge.
Organizations heavily reliant on Adobe Commerce for their e-commerce operations are at significant risk. This includes businesses using custom extensions or integrations that may introduce additional vulnerabilities. Shared hosting environments where multiple Adobe Commerce instances reside on the same server are also particularly vulnerable, as a compromise of one instance could potentially impact others.
• linux / server: Monitor Adobe Commerce logs for unusual authentication attempts or privilege escalation patterns. Use journalctl -f to observe authentication events in real-time.
journalctl -f | grep "authentication failed" -i• generic web: Use curl to probe for potential authentication bypass endpoints. Examine response headers for signs of unauthorized access.
curl -I https://your-commerce-site.com/admin/some-sensitive-endpoint• wordpress / composer / npm: (Not applicable as Adobe Commerce is not a WordPress plugin) • database (mysql, redis, mongodb, postgresql): (Not applicable as the vulnerability is not directly in the database) • windows / supply-chain: (Not applicable as Adobe Commerce is primarily a Linux-based platform)
disclosure
patch
Exploit-Status
EPSS
0.75% (73% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-45115 is to immediately upgrade Adobe Commerce to a patched version: 2.4.5-p9, 2.4.6-p7, or 2.4.7-p2. If an immediate upgrade is not feasible, consider implementing stricter access controls and reviewing existing authentication mechanisms to limit the potential impact of a successful exploit. While not a direct fix, implementing multi-factor authentication (MFA) can add an extra layer of security. Regularly review and audit user permissions to ensure least privilege access is enforced. After upgrading, confirm the fix by attempting to reproduce the vulnerability using known exploitation techniques and verifying that authentication checks are functioning as expected.
Actualice Adobe Commerce a la última versión disponible. Consulte el boletín de seguridad de Adobe para obtener instrucciones detalladas sobre cómo actualizar su instalación. Aplique los parches proporcionados por Adobe para mitigar la vulnerabilidad.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-45115 is a CRITICAL Improper Authentication vulnerability in Adobe Commerce allowing attackers to gain elevated privileges without user interaction.
Yes, if you are running Adobe Commerce versions 0 through 2.4.4-p10, you are affected by this vulnerability.
Upgrade Adobe Commerce to version 2.4.5-p9, 2.4.6-p7, or 2.4.7-p2 to remediate the vulnerability.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity suggests it is a likely target for attackers.
Refer to the Adobe Security Bulletin for CVE-2024-45115: https://www.adobe.com/security/advisories/known/AdobeID-Security-Advisory.txt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.