Security updates for arbitrary code execution vulnerability in Adobe Commerce and Magento Open source.

eCommerce Magento software
fly-d-mT7lXZPjk7U-unsplash|georg-bommeli-ybtUqjybcjE-unsplash

This week Adobe released a security bulletin APSB22-12 dedicated to a vulnerability CVE-2022-24086. Its exploitation could allow arbitrary code execution. The flaw received a CVSS score of 9.8 out of a possible 10, marking it as critical. Adobe also stated that their internal security team discovered the issue, so the vulnerability has been exploited in very limited attacks.

The affected Adobe Commerce and Magento Open source versions are 2.4.3-p1 and earlier and 2.3.7p2 and earlier up to 2.3.3. 2.3.3 and lower were not affected.

The security update named MDVA-43395_EE_2.4.3-p1_v1 was released and can be installed manually or using Composer. It was tested for compatibility with all versions from 2.3.3-p1 to 2.3.7p-2 and 2.4.0 to 2.4.3-p1. The update is available both for Adobe Commerce and Magento Open source.

The update contains changes applied to two files:

vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php

vendor/magento/module-email/Model/Template/Filter.php

Obviously, the vulnerability is related to Directive Processor, since Adobe Commerce and Magento Open source versions 2.3.3 and before do not have the file VarDirective.php and any files for  DirectiveProcessorInterface.