Add CVE-2024-34102 for Magento - Server-Side Request Forgery. #727
Conversation
… arbitrary code execution.
| branches: | ||
| "2.4": | ||
| time: 2024-06-11 14:03:00 | ||
| versions: [ '<2.4.4'] |
There was a problem hiding this comment.
Is this true? The release notes don't have any information about 2.4.0 and 2.4.1.
There was a problem hiding this comment.
The notes only publish info on versions that are still supported, 2.4.3/2.4.2 are not supported on community/open source edition, so not listed there. Got to assume the vulnerability existed on all earlier versions.
There was a problem hiding this comment.
Yes that is what I assumed as well. Let's note Magento does not strictly follow semantic versioning so 2.4.4 is a major release as well as 2.4.5.
And because the Magento security advisories have not been maintained these versions wouldn't trigger any security other security issues. These old versions are definitively concerned by issues.
We do actually use the security advisories in our pipelines so will try to keep on top of the subject from now on. Adding all the security bulletins published for Magento since the last one was contributed in 2019 would be quite a big task. I am not sure it would be very usefully.
Co-authored-by: Nils Adermann <[email protected]>
|
I wonder who at Adobe would be the right person to contact about providing info on these security bulletins in a machine readable format we can at least directly import into packagist.org's database which composer audit uses. Although that still wouldn't help people who rely on this repository here for other tooling. |
Co-authored-by: Nils Adermann <[email protected]>
This PR adds CVE-2024-34102.
This CVE affects all versions of Magento prior to 2.4.4-p8. Magento versions prior to 2.4.4 are not maintained, there are therefore no fix deployed for those versions.