CVE-2020-24406

When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment.

CVSS v3 3.7 LOW
CVSS v2.0 4.3 MEDIUM

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://helpx.adobe.com/security/products/magento/apsb20-59.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:::::open_source:::*
	cpe:2.3:a:magento:magento:2.4.0::::commerce:::
	cpe:2.3:a:magento:magento:2.4.0::::open_source:::

History

No history.

Information

Published : 2020-11-09 01:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-24406

Mitre link : CVE-2020-24406

CVE.ORG link : CVE-2020-24406

JSON object : View

Products Affected

magento

magento

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2020-24406", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "psirt@adobe.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2020-11-09T01:15:12.880", "references": [{"url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "tags": ["Vendor Advisory"], "source": "psirt@adobe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "psirt@adobe.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "When in maintenance mode, Magento version 2.4.0 and 2.3.4 (and earlier) are affected by an information disclosure vulnerability that could expose the installation path during build deployments. This information could be helpful to attackers if they are able to identify other exploitable vulnerabilities in the environment."}, {"lang": "es", "value": "Cuando est\u00e1 en modo de mantenimiento, Magento versiones 2.4.0 y 2.3.4 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n que podr\u00eda exponer la ruta de instalaci\u00f3n durante implementaciones de compilaci\u00f3n. Esta informaci\u00f3n podr\u00eda ser \u00fatil para unos atacantes si pueden identificar otras vulnerabilidades explotables en el entorno"}], "lastModified": "2020-11-12T18:01:05.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "vulnerable": true, "matchCriteriaId": "53D3B41C-E47D-4F48-BEB9-77FF70D2FB46", "versionEndIncluding": "2.3.4"}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "692B08D3-66EA-455C-A935-7724C06629D9", "versionEndIncluding": "2.3.4"}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:commerce:*:*:*", "vulnerable": true, "matchCriteriaId": "8B564171-2253-412F-B936-8FEA1074BBBE"}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:open_source:*:*:*", "vulnerable": true, "matchCriteriaId": "446F9B89-3455-46F4-A7B0-CCA7857E0FC4"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@adobe.com"}