Adobe Commerce and Magento Open Source Server-Side Request Forgery Vulnerability Allowing Security Feature Bypass

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Adobe Commerce and Magento Open Source. This vulnerability affects several versions, including Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier, as well as Magento Open Source versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15 and earlier. The vulnerability could allow a high-privileged attacker to manipulate server-side requests, bypassing security controls. Exploitation of this vulnerability does not require user interaction.

Impact

Exploitation of this vulnerability could lead to a security feature bypass, allowing attackers to manipulate server-side requests and bypass security controls.

Remediation

Users are advised to update to Adobe Commerce version 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16 or 2.4.4-p17. For Magento Open Source users, the recommended versions are 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14 or 2.4.5-p16.