GHSA-595p-g7xc-c333: 
PHP Análise e mitigação de vulnerabilidades

Impact

Versions of the Algolia Search & Discovery extension for Magento 2 prior to 3.17.2 and 3.16.2 contain a vulnerability where data read from the database was treated as a trusted source during job execution. If an attacker is able to modify records used by the extension’s indexing queue, this could result in arbitrary PHP code execution when the affected job is processed. Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.

Patches

This vulnerability has been fixed in the following versions: - 3.17.2 - 3.16.2 Merchants should upgrade to a supported patched version immediately. Versions outside the supported maintenance window do not receive security updates and remain vulnerable.

Workarounds

Upgrading to a patched version is the only recommended remediation. If an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure: - Disable the Algolia indexing queue to prevent queued jobs from being executed. - Restrict job execution logic to an explicit allowlist of permitted operations. - Review the contents of the algoliasearch_queue table for unexpected or unrecognized entries. - If queue archiving is enabled, review historical records in algoliasearch_queue_archive. These mitigations are provided as guidance only and do not replace upgrading to a patched version.

References

• Algolia Search & Discovery for Magento 2 releases:
  • 3.16.2
  • 3.17.2