Platform
php
Component
openmage/magento-lts
Opgelost in
19.4.13
20.0.9
19.4.13
CVE-2021-21427 is a critical SQL injection vulnerability discovered in Magento LTS. This flaw allows unauthorized administrators access to restricted resources within the platform. It impacts versions of Magento LTS up to and including v19.4.9, and a patch is available in versions v19.4.13 and v20.0.9.
The primary impact of CVE-2021-21427 is the potential for unauthorized access to sensitive data and administrative functions within a Magento store. A successful attacker could leverage SQL injection to bypass authentication controls, retrieve confidential information (customer data, order details, payment information), modify data, or even gain complete control over the Magento instance. This vulnerability is a backport of CVE-2021-21024, highlighting the importance of keeping Magento LTS up-to-date with the latest security patches. The ability to manipulate database queries directly poses a significant threat to data integrity and system security.
CVE-2021-21427 was publicly disclosed on April 22, 2021. It is related to CVE-2021-21024, suggesting a shared root cause. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and the potential for significant data compromise make this vulnerability a high-priority target for attackers. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations running Magento LTS installations, particularly those with legacy configurations or custom extensions that may not be regularly updated, are at significant risk. Shared hosting environments where multiple Magento stores share the same database are also vulnerable, as a compromise of one store could potentially impact others.
• php: Review application logs for suspicious SQL queries or error messages related to database interactions. Use a code analysis tool to scan for potential SQL injection vulnerabilities in custom code.
• generic web: Use curl or wget to test potentially vulnerable endpoints with SQL injection payloads (e.g., ' OR '1'='1). Examine response headers for unusual behavior.
• database (mysql): Connect to the Magento database using a MySQL client and attempt to execute malicious SQL queries. Monitor database logs for unauthorized access attempts.
disclosure
patch
Exploit Status
EPSS
0.64% (70% percentiel)
CVSS-vector
The most effective mitigation for CVE-2021-21427 is to immediately upgrade to a patched version of Magento LTS, specifically v19.4.13 or v20.0.9. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strengthening input validation and sanitization within the application code. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Review and harden database user permissions to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the affected endpoints and verifying that the attack is blocked.
Actualice Magento LTS a la versión 19.4.13 o 20.0.9, o a una versión posterior, para corregir la vulnerabilidad de inyección SQL ciega. Esta actualización corrige un problema que podría permitir a un administrador no autorizado acceder a recursos restringidos. Se recomienda realizar una copia de seguridad antes de actualizar.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2021-21427 is a critical SQL injection vulnerability affecting Magento LTS versions up to v19.4.9, allowing unauthorized access to restricted resources.
If you are running Magento LTS versions 19.4.9 or earlier, you are vulnerable. Upgrade to v19.4.13 or v20.0.9 to resolve the issue.
Upgrade to Magento LTS version 19.4.13 or 20.0.9. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity makes it a high-priority target.
Refer to the Adobe Security Bulletin APSB21-08: https://helpx.adobe.com/security/products/magento/apsb21-08.html
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.