This week Adobe released a security bulletin APSB22-12 dedicated to a vulnerability CVE-2022-24086. Its exploitation could allow arbitrary code execution. The flaw received a CVSS score of 9.8 out of a possible 10, marking it as critical. Adobe also stated that their internal security team discovered the issue, so the vulnerability has been exploited in very limited attacks.
The affected Adobe Commerce and Magento Open source versions are 2.4.3-p1 and earlier and 2.3.7p2 and earlier up to 2.3.3. 2.3.3 and lower were not affected.
The security update named MDVA-43395_EE_2.4.3-p1_v1 was released and can be installed manually or using Composer. It was tested for compatibility with all versions from 2.3.3-p1 to 2.3.7p-2 and 2.4.0 to 2.4.3-p1. The update is available both for Adobe Commerce and Magento Open source.
The update contains changes applied to two files:
vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php
vendor/magento/module-email/Model/Template/Filter.php
Obviously, the vulnerability is related to Directive Processor, since Adobe Commerce and Magento Open source versions 2.3.3 and before do not have the file VarDirective.php and any files for DirectiveProcessorInterface.
