Blog Details

Zest LogicSecurity updates for arbitrary code execution vulnerability in Adobe Commerce and Magento Open source. New information.
zlogicmaster February 21, 2022
Photo by FLY:D on Unsplash

Security updates for arbitrary code execution vulnerability in Adobe Commerce and Magento Open source.

Recently Adobe released an update to security bulletin APSB22-12 dedicated to a vulnerability CVE-2022-24086. Now the additional patch is required. We gathered some more information about the flaw.

As mentioned in the previous article, exploiting the vulnerability could allow arbitrary code execution. The flaw received a CVSS score of 9.8 out of a possible 10, marking it as critical. Adobe also stated that their internal security team discovered the issue, so the vulnerability has been exploited in very limited attacks.

The issue could appear in the systems where the Mustache template system is used – namely in emails, CMS pages, and CMS blocks. In addition, some third-party extensions are using this system as well.

Everything enclosed with curly brackets {{...}} by default should be processed and converted into valid HTML code. But, if the code included another set of curly brackets within the first one, the content of those brackets remained unchanged, leaving a possible way for arbitrary code execution.

The first patch released on the 13th of February was checking the template once Mustache processed it. Any leftover curly brackets with the text within were removed.

The second patch adjusted this behavior by removing the curly brackets. All the text that was present there is still available.

How can you test the patches?

Add some test code to email template. For example:

<div>Test patch: {{trans "%v1%v2" v1="{{possible exploit can be here}" v2="}" }}</div>

The non-patched system will show you: <div>Test patch: {{possible exploit can be here}}</div>

Once the patch #1 is implemented, the output will be: <div>Test patch: </div>

Once the patch #2 is implemented, the output will be: <div>Test patch: possible exploit can be here</div>

You can check it also on CMS blocks and CMS pages and in other places where you suspect the flaw could appear.

Also, it might be useful to check your site after installing the patches. The injected code will now be visible as plain HTML text.