SB2019041047 - SQL injection in Magento, Magento Open Source

Description

This security bulletin contains information about 1 vulnerability.

1) SQL injection (CVE-ID: CVE-2019-7139)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2.

Remediation

Install update from vendor's website.

References

• https://magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13
• https://www.ambionics.io/blog/magento-sqli