Input validation error in magento-lts

#VU52455 Input validation error in magento-lts

Published: 2021-04-21

Vulnerability identifier: #VU52455

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21426

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
magento-lts
Web applications / Modules and components for CMS

Vendor: OPENMAGE

Description

The vulnerability allows a remote attacker to delete files on the system.

The vulnerability exists due to insufficient validation of stream names within the "lib/Zend/Http/Response/Stream.php". A remote attacker can pass specially crafted input to the application and delete arbitrary files on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

magento-lts: 20.0.0 - 20.0.8, 19.4.0 - 19.4.12

External links
http://github.com/OpenMage/magento-lts/commit/6b663bbce99d46823bec690fe7a186df2b855620
http://github.com/OpenMage/magento-lts/releases/tag/v19.4.13
http://github.com/OpenMage/magento-lts/releases/tag/v20.0.10

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Magento LTS