Backport for CVE-2021-21024 Blind SQLi from Magento 2
traduzindo…Plataforma
php
Componente
openmage/magento-lts
Corrigido em
19.4.13
20.0.9
19.4.13
CVE-2021-21427 is a critical SQL injection vulnerability discovered in Magento LTS. This flaw allows unauthorized administrators access to restricted resources within the platform. It impacts versions of Magento LTS up to and including v19.4.9, and a patch is available in versions v19.4.13 and v20.0.9.
Impacto e Cenários de Ataquetraduzindo…
The primary impact of CVE-2021-21427 is the potential for unauthorized access to sensitive data and administrative functions within a Magento store. A successful attacker could leverage SQL injection to bypass authentication controls, retrieve confidential information (customer data, order details, payment information), modify data, or even gain complete control over the Magento instance. This vulnerability is a backport of CVE-2021-21024, highlighting the importance of keeping Magento LTS up-to-date with the latest security patches. The ability to manipulate database queries directly poses a significant threat to data integrity and system security.
Contexto de Exploraçãotraduzindo…
CVE-2021-21427 was publicly disclosed on April 22, 2021. It is related to CVE-2021-21024, suggesting a shared root cause. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and the potential for significant data compromise make this vulnerability a high-priority target for attackers. The vulnerability is not currently listed on the CISA KEV catalog.
Quem Está em Riscotraduzindo…
Organizations running Magento LTS installations, particularly those with legacy configurations or custom extensions that may not be regularly updated, are at significant risk. Shared hosting environments where multiple Magento stores share the same database are also vulnerable, as a compromise of one store could potentially impact others.
Passos de Detecçãotraduzindo…
• php: Review application logs for suspicious SQL queries or error messages related to database interactions. Use a code analysis tool to scan for potential SQL injection vulnerabilities in custom code.
• generic web: Use curl or wget to test potentially vulnerable endpoints with SQL injection payloads (e.g., ' OR '1'='1). Examine response headers for unusual behavior.
• database (mysql): Connect to the Magento database using a MySQL client and attempt to execute malicious SQL queries. Monitor database logs for unauthorized access attempts.
Linha do Tempo do Ataque
- Disclosure
disclosure
- Patch
patch
Inteligência de Ameaças
Status do Exploit
EPSS
0.64% (percentil 70%)
Vetor CVSS
O que significam essas métricas?
- Attack Vector
- Rede — explorável remotamente pela internet. Sem acesso físico ou local necessário.
- Attack Complexity
- Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
- Privileges Required
- Alto — conta de administrador ou privilegiada necessária.
- User Interaction
- Nenhuma — ataque automático e silencioso. A vítima não faz nada.
- Scope
- Alterado — o ataque pode pivotar para além do componente vulnerável.
- Confidentiality
- Alto — perda total de confidencialidade. O atacante pode ler todos os dados.
- Integrity
- Alto — o atacante pode escrever, modificar ou excluir qualquer dado.
- Availability
- Alto — falha completa ou esgotamento de recursos. Negação de serviço total.
Software Afetado
Informações do pacote
- Última atualização
- 20.18.0recentemente
Classificação de Fraqueza (CWE)
Linha do tempo
- Reservado
- Publicada
- Modificada
- EPSS atualizado
Mitigação e Soluções Alternativastraduzindo…
The most effective mitigation for CVE-2021-21427 is to immediately upgrade to a patched version of Magento LTS, specifically v19.4.13 or v20.0.9. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as strengthening input validation and sanitization within the application code. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. Review and harden database user permissions to limit the potential impact of a successful attack. After upgrading, confirm the fix by attempting a SQL injection attack on the affected endpoints and verifying that the attack is blocked.
Como corrigirtraduzindo…
Actualice Magento LTS a la versión 19.4.13 o 20.0.9, o a una versión posterior, para corregir la vulnerabilidad de inyección SQL ciega. Esta actualización corrige un problema que podría permitir a un administrador no autorizado acceder a recursos restringidos. Se recomienda realizar una copia de seguridad antes de actualizar.
Boletim de Segurança CVE
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
Perguntas frequentestraduzindo…
What is CVE-2021-21427 — SQL Injection in Magento LTS?
CVE-2021-21427 is a critical SQL injection vulnerability affecting Magento LTS versions up to v19.4.9, allowing unauthorized access to restricted resources.
Am I affected by CVE-2021-21427 in Magento LTS?
If you are running Magento LTS versions 19.4.9 or earlier, you are vulnerable. Upgrade to v19.4.13 or v20.0.9 to resolve the issue.
How do I fix CVE-2021-21427 in Magento LTS?
Upgrade to Magento LTS version 19.4.13 or 20.0.9. Consider temporary workarounds like input validation if immediate upgrade is not possible.
Is CVE-2021-21427 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity makes it a high-priority target.
Where can I find the official Magento advisory for CVE-2021-21427?
Refer to the Adobe Security Bulletin APSB21-08: https://helpx.adobe.com/security/products/magento/apsb21-08.html
Seu projeto está afetado?
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.