Plattform
adobe
Komponente
adobe-commerce
Behoben in
3.2.6
CVE-2024-49521 describes a Server-Side Request Forgery (SSRF) vulnerability present in Adobe Commerce versions 3.2.5 and earlier. This flaw allows a low-privileged attacker to craft requests originating from the vulnerable server, potentially bypassing security controls like firewalls. The vulnerability does not require user interaction to exploit, making it a significant security concern. A fix is available in version 3.2.6.
The SSRF vulnerability in Adobe Commerce allows attackers to send requests from the server to internal systems, effectively bypassing security measures. This could enable attackers to access sensitive internal resources, such as configuration files, databases, or other services that are not directly exposed to the internet. Successful exploitation could lead to data breaches, privilege escalation, or even complete system compromise. The lack of user interaction required for exploitation significantly increases the risk, as attackers can automate the process and target numerous systems without direct user engagement. This vulnerability shares similarities with other SSRF exploits where internal services are inadvertently exposed.
CVE-2024-49521 was publicly disclosed on November 12, 2024. The vulnerability's SSRF nature suggests a potentially medium probability of exploitation (EPSS score pending evaluation). Public proof-of-concept exploits are not currently known, but the ease of SSRF exploitation generally makes it a target for automated scanning and exploitation attempts. Refer to the Adobe Security Bulletin for further details.
Organizations heavily reliant on Adobe Commerce for their e-commerce operations, particularly those with complex internal network architectures and sensitive data stored on internal systems, are at heightened risk. Shared hosting environments utilizing Adobe Commerce are also vulnerable, as a compromised tenant could potentially exploit the SSRF vulnerability to access resources belonging to other tenants.
• adobe: Examine Adobe Commerce access logs for unusual outbound requests to internal IP addresses or services.
grep -i 'internal_ip_address' /var/log/apache2/access.log• generic web: Use curl to test for SSRF by attempting to access internal resources through the Adobe Commerce application.
curl -v http://<adobe_commerce_server>/internal_resource• generic web: Check response headers for clues of internal redirects or server information.
curl -I http://<adobe_commerce_server>disclosure
Exploit-Status
EPSS
0.32% (55% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-49521 is to upgrade Adobe Commerce to version 3.2.6 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict outbound network access from the Adobe Commerce server using a Web Application Firewall (WAF) or proxy to block requests to unauthorized internal resources. Carefully review and restrict any internal URLs that Adobe Commerce is allowed to access. Monitor access logs for suspicious outbound requests originating from the Adobe Commerce server. After upgrading, confirm the vulnerability is resolved by attempting a controlled SSRF request to an internal resource and verifying it is blocked.
Aktualisieren Sie Adobe Commerce auf eine Version nach 3.2.5, um die SSRF-Schwachstelle zu beheben. Weitere Details und spezifische Anweisungen zur Aktualisierung finden Sie im Adobe Security Bulletin (APSB24-90). Es wird empfohlen, das Update so bald wie möglich anzuwenden, um mögliche Angriffe zu vermeiden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-49521 is a Server-Side Request Forgery vulnerability in Adobe Commerce versions 0–3.2.5, allowing attackers to bypass security measures by sending requests to internal systems.
If you are running Adobe Commerce versions 0.0 through 3.2.5, you are affected by this SSRF vulnerability.
Upgrade Adobe Commerce to version 3.2.6 or later to resolve the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrading is not possible.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability suggests a potential for exploitation, and monitoring is recommended.
Refer to the Adobe Security Bulletin for detailed information and remediation steps: [https://www.adobe.com/security/advisories/](https://www.adobe.com/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.