Backport for CVE-2021-21024 Blind SQLi from Magento 2
traduction en cours…Plateforme
php
Composant
openmage/magento-lts
Corrigé dans
19.4.13
20.0.9
19.4.13
CVE-2021-21427 is a critical SQL injection vulnerability discovered in Magento LTS. This flaw allows unauthorized administrators access to restricted resources within the platform. It impacts versions of Magento LTS up to and including v19.4.9, and a patch is available in versions v19.4.13 and v20.0.9.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2021-21427 is the potential for unauthorized access to sensitive data and administrative functions within a Magento store. A successful attacker could leverage SQL injection to bypass authentication controls, retrieve confidential information (customer data, order details, payment information), modify data, or even gain complete control over the Magento instance. This vulnerability is a backport of CVE-2021-21024, highlighting the importance of keeping Magento LTS up-to-date with the latest security patches. The ability to manipulate database queries directly poses a significant threat to data integrity and system security.
Contexte d'Exploitationtraduction en cours…
CVE-2021-21427 was publicly disclosed on April 22, 2021. It is related to CVE-2021-21024, suggesting a shared root cause. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and the potential for significant data compromise make this vulnerability a high-priority target for attackers. The vulnerability is not currently listed on the CISA KEV catalog.
Qui Est à Risquetraduction en cours…
Organizations running Magento LTS installations, particularly those with legacy configurations or custom extensions that may not be regularly updated, are at significant risk. Shared hosting environments where multiple Magento stores share the same database are also vulnerable, as a compromise of one store could potentially impact others.
Étapes de Détectiontraduction en cours…
• php: Review application logs for suspicious SQL queries or error messages related to database interactions. Use a code analysis tool to scan for potential SQL injection vulnerabilities in custom code.
• generic web: Use curl or wget to test potentially vulnerable endpoints with SQL injection payloads (e.g., ' OR '1'='1). Examine response headers for unusual behavior.
• database (mysql): Connect to the Magento database using a MySQL client and attempt to execute malicious SQL queries. Monitor database logs for unauthorized access attempts.
Chronologie de l'Attaque
- Disclosure
disclosure
- Patch
patch
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.64% (percentile 70%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Élevé — un compte administrateur ou privilégié est requis.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Informations sur le paquet
- Dernière mise à jour
- 20.18.0récemment
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The most effective mitigation for CVE-2021-21427 is to immediately upgrade to a patched version of Magento LTS, specifically v19.4.13 or v20.0.9. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strengthening input validation and sanitization within the application code. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Review and harden database user permissions to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the affected endpoints and verifying that the attack is blocked.
Comment corrigertraduction en cours…
Actualice Magento LTS a la versión 19.4.13 o 20.0.9, o a una versión posterior, para corregir la vulnerabilidad de inyección SQL ciega. Esta actualización corrige un problema que podría permitir a un administrador no autorizado acceder a recursos restringidos. Se recomienda realizar una copia de seguridad antes de actualizar.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2021-21427 — SQL Injection in Magento LTS?
CVE-2021-21427 is a critical SQL injection vulnerability affecting Magento LTS versions up to v19.4.9, allowing unauthorized access to restricted resources.
Am I affected by CVE-2021-21427 in Magento LTS?
If you are running Magento LTS versions 19.4.9 or earlier, you are vulnerable. Upgrade to v19.4.13 or v20.0.9 to resolve the issue.
How do I fix CVE-2021-21427 in Magento LTS?
Upgrade to Magento LTS version 19.4.13 or 20.0.9. Consider temporary workarounds like input validation if immediate upgrade is not possible.
Is CVE-2021-21427 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity makes it a high-priority target.
Where can I find the official Magento advisory for CVE-2021-21427?
Refer to the Adobe Security Bulletin APSB21-08: https://helpx.adobe.com/security/products/magento/apsb21-08.html
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.