Scanner gratuitement
CRITICALCVE-2021-21024CVSS 9.1

Magento Blind SQL Injection in the Search module

traduction en cours…

Plateforme

php

Composant

magento/community-edition

Corrigé dans

2.4.2

2.4.1

2.3.7

2.3.6-p1

AI Confidence: highNVDEPSS 2.1%Révisé: mai 2026
Voir sur NVD
Sauvegarder
Traduction vers votre langue…

CVE-2021-21024 describes a blind SQL injection vulnerability discovered in the Magento Community Edition Search module. Successful exploitation allows an unauthenticated attacker with admin console access to potentially access restricted resources. This vulnerability impacts versions 2.4.1 and earlier, 2.4.0-p1 and earlier, and 2.3.6 and earlier. A patch is available in version 2.3.6-p1.

Impact et Scénarios d'Attaquetraduction en cours…

The SQL injection vulnerability in Magento's Search module poses a significant risk. An attacker, possessing administrative access, can craft malicious queries to extract sensitive data directly from the database. This could include customer Personally Identifiable Information (PII) such as names, addresses, credit card details (if stored), order history, and potentially even administrative credentials. Beyond data exfiltration, the attacker could manipulate data, leading to fraudulent orders, account takeovers, or denial of service. The blind nature of the injection means the attacker doesn't directly see the results of their queries, requiring more sophisticated techniques to extract information, but doesn't inherently limit the potential impact. This vulnerability shares characteristics with other database injection flaws, highlighting the importance of parameterized queries and input validation.

Contexte d'Exploitationtraduction en cours…

CVE-2021-21024 was publicly disclosed on May 24, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the risk of opportunistic attacks.

Qui Est à Risquetraduction en cours…

Organizations running Magento Community Edition versions 2.3.6 and earlier, particularly those with publicly accessible admin consoles and inadequate security measures, are at significant risk. Shared hosting environments utilizing Magento are also vulnerable, as they may lack control over the underlying server configuration and patching process.

Étapes de Détectiontraduction en cours…

• php / server:

find /var/www/html -name 'app/code/Magento/Search/Model/Adapter/Mysql.php' -exec grep -i 'query(' {} + | grep -i 'SELECT'

• php / server:

journalctl -u php-fpm -f | grep -i "SQL injection"

• generic web:

curl -I https://your-magento-site.com/search?q=' OR 1=1 --silent | grep -i '200 OK'

Chronologie de l'Attaque

  1. Discovery

    discovery

  2. Disclosure

    disclosure

  3. Patch

    patch

Renseignement sur les Menaces

Statut de l'Exploit

Preuve de ConceptInconnu
CISA KEVNO
Exposition InternetÉlevée

EPSS

2.07% (percentile 84%)

Vecteur CVSS

RENSEIGNEMENT SUR LES MENACES· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H9.1CRITICALAttack VectorNetworkComment l'attaquant atteint la cibleAttack ComplexityLowConditions requises pour exploiterPrivileges RequiredHighNiveau d'authentification requisUser InteractionNoneSi une action de la victime est requiseScopeChangedImpact au-delà du composant affectéConfidentialityHighRisque d'exposition de données sensiblesIntegrityHighRisque de modification non autorisée de donnéesAvailabilityHighRisque d'interruption de servicenextguardhq.com · Score de base CVSS v3.1
Que signifient ces métriques?
Attack Vector
Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
Attack Complexity
Faible — aucune condition spéciale requise. Exploitable de manière fiable.
Privileges Required
Élevé — un compte administrateur ou privilégié est requis.
User Interaction
Aucune — attaque automatique et silencieuse. La victime ne fait rien.
Scope
Modifié — l'attaque peut pivoter au-delà du composant vulnérable.
Confidentiality
Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
Integrity
Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
Availability
Élevé — panne complète ou épuisement des ressources. Déni de service total.

Logiciel Affecté

Composantmagento/community-edition
Fournisseurosv
Plage affectéeCorrigé dans
2.4.12.4.2
2.4.0-p12.4.1
2.3.62.3.7
2.3.6-p1

Informations sur le paquet

Dernière mise à jour
2.4.9récemment

Classification de Faiblesse (CWE)

CWE-89

Chronologie

  1. Réservé
  2. Publiée
  3. Modifiée
  4. EPSS mis à jour
Corrigé -474 jours après la divulgation

Mitigation et Contournementstraduction en cours…

The primary mitigation for CVE-2021-21024 is to immediately upgrade to Magento Community Edition version 2.3.6-p1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the admin console using strong passwords and multi-factor authentication. Implement a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the Search module endpoints. Carefully review and validate all user inputs related to search functionality. Monitor Magento logs for suspicious activity, specifically looking for unusual database queries originating from the Search module. After upgrading, confirm the vulnerability is resolved by attempting a test SQL injection payload against the Search module and verifying that it is properly sanitized.

Comment corrigertraduction en cours…

Actualice Magento Commerce a la última versión disponible. Consulte el aviso de seguridad de Adobe para obtener más detalles e instrucciones específicas sobre la actualización.

Newsletter Sécurité CVE

Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.

Questions fréquentestraduction en cours…

What is CVE-2021-21024 — SQL Injection in Magento Community Edition?

CVE-2021-21024 is a critical SQL injection vulnerability affecting Magento Community Edition versions up to 2.3.6, allowing unauthorized access with admin privileges.

Am I affected by CVE-2021-21024 in Magento Community Edition?

You are affected if you are running Magento Community Edition versions 2.4.1 and earlier, 2.4.0-p1 and earlier, or 2.3.6 and earlier. Check your version and upgrade immediately.

How do I fix CVE-2021-21024 in Magento Community Edition?

Upgrade to Magento Community Edition version 2.3.6-p1 or later. Implement WAF rules and restrict admin console access as temporary mitigations.

Is CVE-2021-21024 being actively exploited?

While no confirmed active campaigns are publicly known, the vulnerability's severity and available PoCs make it a likely target for exploitation.

Where can I find the official Magento advisory for CVE-2021-21024?

Refer to the official Magento security advisory at https://dev.classmethod.com/en/2021/12/16/magento-2-4-1-security-vulnerability-sql-injection/

Ton projet est-il affecté ?

Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.

Scanner gratuitementRechercher des CVE