Aperçu
Adobe Commerce is vulnerable to XML External Entity (XXE) injection through improper restriction of XML external entity references. This vulnerability allows authenticated attackers to execute arbitrary code by sending malicious XML payloads through vulnerable endpoints. La vulnérabilité a été divulguée le June 13, 2024. CISA a identifié CVE-2024-34102 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Adobe Commerce contains an improper neutralization of XML external entity references vulnerability. The vulnerability exists in the XML parsing functionality where external entity references are not properly restricted. An attacker with authentication credentials can craft malicious XML payloads and send them to vulnerable endpoints to trigger XXE processing, potentially leading to arbitrary code execution.
La vulnérabilité est classifiée comme CWE-611 (Improper Restriction of XML External Entity Reference) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 8.8 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature high.
Impact
Successful exploitation allows authenticated attackers to execute arbitrary code on the affected Adobe Commerce server. This could lead to complete system compromise, unauthorized data access, modification of product catalogs, customer data theft, payment information interception, and defacement of the storefront. The attacker could potentially establish persistent access, pivot to internal systems, and compromise customer information.
Mitigation et contournements
Adobe has released security patches for all affected versions. Merchants should upgrade to the patched versions immediately: (Adobe Security Advisory) 1. For Commerce 2.4.7: Upgrade to version 2.4.7 2. For Commerce 2.4.6: Upgrade to version 2.4.6-p5 or later 3. For Commerce 2.4.5: Upgrade to version 2.4.5-p7 or later 4. For Commerce 2.4.4: Upgrade to version 2.4.4-p8 or later Upgrade instructions are available at https://experienceleague.adobe.com/en/docs/commerce-operations/upgrade-guide/overview Les versions suivantes incluent les correctifs nécessaires : 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8.
Comme contournements temporaires : implement web application firewall (waf) rules to block xxe attack patterns in xml payloads. monitor for suspicious xml payloads containing doctype declarations or system references.; restrict access to xml processing endpoints through network-level controls and ip whitelisting if possible.; disable xml-based import/integration features if not actively used., et implement strict input validation and monitoring for authentication attempts and xml submissions..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Source : Ce rapport a été généré par IA
