CVE-2022-24086 - Vulnerability Details - OpenCVE

Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is in the KEV database since Feb. 15, 2022.

Exploitation active

Automatable yes

Technical Impact total

Vendors	Products
Adobe	Commerce
Magento	Magento

Configuration 1 [-]

OR	cpe:2.3:a:adobe:commerce::::::::
	cpe:2.3:a:adobe:commerce::::::::
	cpe:2.3:a:adobe:commerce::::::::
	cpe:2.3:a:adobe:commerce:2.3.7:p1::::::
	cpe:2.3:a:adobe:commerce:2.3.7:p2::::::
	cpe:2.3:a:adobe:commerce:2.4.3:-::::::
	cpe:2.3:a:adobe:commerce:2.4.3:p1::::::
	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:2.3.7:p1:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.7:p2:::commerce:::*
	cpe:2.3:a:magento:magento:2.4.3:-:::commerce:::*
	cpe:2.3:a:magento:magento:2.4.3:p1:::commerce:::*

No data.

References

Link	Providers
https://helpx.adobe.com/security/products/magento/apsb22-12.html

History

Tue, 04 Feb 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2022-02-15'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2022-02-16T16:38:28.383Z

Updated: 2025-02-04T19:04:34.078Z

Reserved: 2022-01-27T00:00:00.000Z

Link: CVE-2022-24086

Vulnrichment

Updated: 2024-08-03T03:59:23.565Z

NVD

Status : Analyzed

Published: 2022-02-16T17:15:13.307

Modified: 2025-02-13T17:30:31.057

Link: CVE-2022-24086

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.3-p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.7-p2", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-02-13T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-16T16:38:28.000Z", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Adobe Commerce checkout improper input validation leads to remote code execution", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2022-02-13T23:00:00.000Z", "ID": "CVE-2022-24086", "STATE": "PUBLIC", "TITLE": "Adobe Commerce checkout improper input validation leads to remote code execution"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.3-p1"}, {"version_affected": "<=", "version_value": "2.3.7-p2"}, {"version_affected": "<=", "version_value": "None"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution."}]}, "impact": {"cvss": {"attackComplexity": "Low", "attackVector": "Network", "availabilityImpact": "High", "baseScore": 9.8, "baseSeverity": "Critical", "confidentialityImpact": "High", "integrityImpact": "High", "privilegesRequired": "None", "scope": "Unchanged", "userInteraction": "None", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation (CWE-20)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb22-12.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:59:23.565Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24086", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-27T18:35:53.490758Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-02-15", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-24086"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T19:04:34.078Z"}}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2022-24086", "datePublished": "2022-02-16T16:38:28.383Z", "dateReserved": "2022-01-27T00:00:00.000Z", "dateUpdated": "2025-02-04T19:04:34.078Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:59:23.565Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-24086", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-27T18:35:53.490758Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2022-02-15", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2022-24086"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T19:03:23.776Z"}}], "cna": {"title": "Adobe Commerce checkout improper input validation leads to remote code execution", "source": {"discovery": "EXTERNAL"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Adobe", "product": "Magento Commerce", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "2.4.3-p1"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "2.3.7-p2"}, {"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "None"}]}], "datePublic": "2022-02-13T00:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "Improper Input Validation (CWE-20)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2022-02-16T16:38:28.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "Unchanged", "version": "3.1", "baseScore": 9.8, "attackVector": "Network", "baseSeverity": "Critical", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "High", "userInteraction": "None", "attackComplexity": "Low", "availabilityImpact": "High", "privilegesRequired": "None", "confidentialityImpact": "High"}}, "source": {"discovery": "EXTERNAL"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.4.3-p1", "version_affected": "<="}, {"version_value": "2.3.7-p2", "version_affected": "<="}, {"version_value": "None", "version_affected": "<="}, {"version_value": "None", "version_affected": "<="}]}, "product_name": "Magento Commerce"}]}, "vendor_name": "Adobe"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html", "name": "https://helpx.adobe.com/security/products/magento/apsb22-12.html", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation (CWE-20)"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-24086", "STATE": "PUBLIC", "TITLE": "Adobe Commerce checkout improper input validation leads to remote code execution", "ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2022-02-13T23:00:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-24086", "state": "PUBLISHED", "dateUpdated": "2025-02-04T19:04:34.078Z", "dateReserved": "2022-01-27T00:00:00.000Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2022-02-16T16:38:28.383Z", "assignerShortName": "adobe"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-03-01", "cisaExploitAdd": "2022-02-15", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "90B19F1A-11A1-4315-8433-6B8938228BF7", "versionEndExcluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5229EE3-4D7C-473B-AEDA-7FC6CC75486B", "versionEndIncluding": "2.3.6", "versionStartExcluding": "2.3.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DFFF83C-2A52-442D-8349-7B37843B630F", "versionEndIncluding": "2.4.2", "versionStartIncluding": "2.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p1:*:*:*:*:*:*", "matchCriteriaId": "9F471E19-8AFE-4A6C-88EA-DF94428518F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.3.7:p2:*:*:*:*:*:*", "matchCriteriaId": "27E5B990-1E1C-46AC-815F-AF737D211C16", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:-:*:*:*:*:*:*", "matchCriteriaId": "7B503C35-8C90-4A24-8E60-722CDBBF556B", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:commerce:2.4.3:p1:*:*:*:*:*:*", "matchCriteriaId": "8A453C85-A14A-47B8-B91D-3906BBE42A78", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "4839E061-1E2C-47BE-9FF7-7D6EE17085E1", "versionEndExcluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "768F5B14-76BE-4BF6-80F0-C35386B0C61F", "versionEndIncluding": "2.3.6", "versionStartExcluding": "2.3.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "664A23B2-48D1-46E8-BA7F-3F693C19D5CC", "versionEndIncluding": "2.4.2", "versionStartIncluding": "2.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.7:p1:*:*:commerce:*:*:*", "matchCriteriaId": "0F954F97-00FF-4ADC-A185-ACF0513C5294", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.7:p2:*:*:commerce:*:*:*", "matchCriteriaId": "E4798194-5488-4DB5-8427-0AFDDD8F4D0E", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.3:-:*:*:commerce:*:*:*", "matchCriteriaId": "A573FBD1-29A3-4601-B0FA-AFEF953C05E5", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.3:p1:*:*:commerce:*:*:*", "matchCriteriaId": "9D138592-62B8-458A-9B95-9E05FDA8D63A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Adobe Commerce versions 2.4.3-p1 (and earlier) and 2.3.7-p2 (and earlier) are affected by an improper input validation vulnerability during the checkout process. Exploitation of this issue does not require user interaction and could result in arbitrary code execution."}, {"lang": "es", "value": "Adobe Commerce versiones 2.4.3-p1 (y anteriores) y 2.3.7-p2 (y anteriores), est\u00e1n afectadas por una vulnerabilidad de comprobaci\u00f3n de entrada inapropiada durante el proceso de compra. Una explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario y podr\u00eda resultar en una ejecuci\u00f3n de c\u00f3digo arbitrario"}], "id": "CVE-2022-24086", "lastModified": "2025-02-13T17:30:31.057", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2022-02-16T17:15:13.307", "references": [{"source": "psirt@adobe.com", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Release Notes", "Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb22-12.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@adobe.com", "type": "Primary"}]}