Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-34102
CVE-2024-34102:
PHP vulnerability analysis and mitigation
Overview
CVE-2024-34102 is a critical vulnerability (CVSS 9.8) affecting Adobe Commerce (formerly known as Magento) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier. The vulnerability, discovered in June 2024, is an Improper Restriction of XML External Entity Reference (XXE) vulnerability that could result in arbitrary code execution. The vulnerability does not require user interaction and can be exploited by sending a crafted XML document that references external entities (NVD, Adobe Advisory).
Technical details
The vulnerability stems from improper management of nested deserialization, which permits attackers to insert malicious XML entities. The issue involves the instantiation of SimpleXMLElement with controllable arguments via the sourceData parameter. The vulnerability can be exploited through Magento's input deserialization process, which recursively processes constructor parameters and setter methods, potentially instantiating internal classes that were never meant to be user-facing (Assetnote Research).
Impact
The vulnerability allows attackers to exfiltrate sensitive files, including app/etc/env.php which contains cryptographic keys used for JWT authentication. This access enables attackers to craft administrator JWTs and abuse Magento's APIs with administrative privileges. Additionally, the vulnerability can be chained with PHP filter chains leading to Remote Code Execution through CVE-2024-2961, and allows for exfiltration of any local file or remote URL contents (Assetnote Research).
Mitigation and workarounds
Adobe has released security updates to address this vulnerability in versions 2.4.7-p1, 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8. Organizations are strongly advised to update to these patched versions to protect against potential exploitation (Adobe Advisory).
Community reactions
The vulnerability has been dubbed 'CosmicString' by the security community. Multiple security researchers and organizations have published analyses and emergency mitigations, with some initial mitigations being bypassed and subsequently updated, highlighting the complexity of the vulnerability and the importance of peer review in security fixes (Assetnote Research).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management