• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability In Magento
How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento

On Sunday, Feb 13, Adobe published a Security Bulletin. The company has rolled out patches for a new Critical 0-day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. The vulnerability tracked as CVE-2022-24086 is characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the products since this is a pre-authenticated flaw with the CVSS score of 9.8 out of 10. It is critical and being exploited in the wild. It would be best if you fixed it. In this post, let’s see How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products.

What Is Improper Input Validation?

First, see what Input Validation is. Input validation is a common technique used to check potentially dangerous inputs to ensure that the inputs are safe for processing within the code or when communicating with other software components. When software fails to validate input properly, attackers are able to craft the malicious input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.

Summary Of CVE-2022-24086- A Arbitrary Code Execution Vulnerability In Magento And Commerce:

This is a pre-authenticated flaw characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the Adobe products.

Associated CVE IDCVE-2022-0513
DescriptionImproper input validation in Magento and Commerce open source adobe products.
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Adobe Products Affected By The CVE-2022-24086 Vulnerability:

The vulnerability affects Magento and Commerce open-source Adobe products 2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions.

Note: Adobe confirmed that Commerce 2.3.3 and lower are not affected.

ProductVersionPlatform
 Adobe Commerce2.4.3-p1 and earlier versions  All
2.3.7-p2 and earlier versions  All
Magento Open Source2.4.3-p1 and earlier versions       All
2.3.7-p2 and earlier versionsAll

How To Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability In Magento And Commerce?

Adobe has responded to the vulnerability by rolling out patches to fix it. Adobe recommends users update their installation to the latest version. Here you can see the patched version details in the table.

ProductUpdated VersionPlatformPriority RatingInstallation Instructions
Adobe CommerceMDVA-43395_EE_2.4.3-p1_v1All1Release Notes

How to Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability in Magento and Commerce?

  1. Download the Patches

    Download one of the following patches:

    MDVA-43395_EE_2.4.3-p1_v1.patch.zip

    MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip

  2. Apply a composer patch for Adobe Commerce on cloud infrastructure

    Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory. Create the directory in the project root if you don’t have.

    Add, commit, and push your code changes:

    # git add -A
    # git commit -m “Apply %patch_name%.composer.patch patch”
    # git push origin

    Click here for more information.

  3. Apply a composer patch for Adobe Commerce on-premises and Magento Open Source

    Upload the downloaded patch files to your Adobe Commerce on-premises or Magento Open Source root directory. Run the following command


    # patch -p1 < %patch_name%.composer.patch
    OR
    # patch -p2 < %patch_name%.composer.patch

  4. Refresh the cache

    Refresh the cache to apply the changes:
    Admin under System > Cache Management.

We hope this post will help you know How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.