CVE-2024-34102: Magento open source affected by an improper restriction of XXE vulnerability

By
Neda Ali
Reviewed by
Nash N Sulthan
Published on
27 Jun 2024
4 min read
Vulnerability

CVE-2024-34102 is the most critical vulnerability to affect Magento and Adobe Commerce stores in the last two years. This vulnerability allows unauthorized access to private files, such as those containing passwords.

When paired with the recent icon bug in Linux, it escalates into a severe security threat that permits remote code execution. This devastating flaw provides attackers with full control over compromised systems and can be exploited through automated attacks, leading to potentially large-scale, global hacking incidents.

The combination of these vulnerabilities creates a dire situation that could result in extensive breaches and significant damage to affected businesses.

The vulnerability described affects several versions like:

  • Adobe Commerce 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8

  • Adobe Commerce Extended Support 2.4.3-ext-7 and earlier, 2.4.2-ext-7 and earlier, 2.4.1-ext-7 and earlier, 2.4.0-ext-7 and earlier, 2.3.7-p4-ext-7 and earlier.

  • Magento Open Source 2.4.7 and earlier, including 2.4.6-p5, 2.4.5-p7, 2.4.4-p8

  • Adobe Commerce Webhooks Plugin versions 1.2.0 to 1.4.0

How bad is the CVE-2024-34102 vulnerability?

CVE-2024-34102 has achieved a record severity score of 9.8 on the Common Vulnerability Scoring System (CVSS), which operates on a 10-point scale. This near-maximum score underscores the extreme danger posed by this vulnerability.

The high score reflects the critical nature of the flaw, highlighting its potential for widespread exploitation and significant impact. The vulnerability allows unauthorized access to private files, such as those containing passwords, and when combined with the recent icon bug in Linux, it can escalate to remote code execution.

This makes it a particularly potent threat, as it grants attackers full control over affected systems. The automation potential of the exploit further amplifies its risk, paving the way for mass hacks on a global scale.

The CVSS score of 9.8 indicates not only the ease of exploitation but also the severe consequences it can have, making it imperative for businesses to address this vulnerability with the highest priority.

To detect the presence of Magento open source XXE (CVE-2024-34102) vulnerability, you can now run a security test using Beagle Security.

What are the impacts of CVE-2024-34102 vulnerability?

CVE-2024-34102 vulnerability may disrupt existing checkout functionality in Magento and Adobe Commerce stores.

This means that while applying the security update is crucial to protect against potential exploitation, it could inadvertently cause issues with the checkout process, potentially leading to failed transactions or poor customer experience.

This creates a challenging situation for businesses, as they must balance the urgency of securing their systems against the risk of operational disruptions that could impact sales and customer satisfaction.

CVE-2024-34102 is one of the most damaging attacks in e-commerce history alongside notorious attacks like “Shoplift,” “Ambionics,” and “Trojan Order”. The critical CVE-2024-34102 vulnerability, combined with the recent iconv bug in Linux, provides a potent means for attackers to gain full control over affected systems with relative ease.

Quick fix for CVE-2024-34102 vulnerability

To enhance security and mitigate vulnerabilities like CVE-2024-34102, it is essential to upgrade your Adobe Commerce or Magento installation to the latest version. This upgrade will incorporate vital security patches and improvements, including the implementation of Content Security Policy (CSP) and Sub resource Integrity (SRI)

Here are some quick fixes to this vulnerability:

If immediate upgrading is not feasible, we offer an unofficial emergency fix. Add the following code to the beginning of app/bootstrap.php.

$input = file_get_contents('php://input'); if (strpos(json_encode(json_decode($input)), 'sourceData') !== false || strpos($input, 'sourceData') !== false) { http_response_code(503); exit; }

This solution aims to mitigate the majority of CosmicSting attacks. Please be aware that this fix is provided without a warranty, so use it at your own risk.

It’s important to schedule a system upgrade, as attackers may discover ways to bypass this mitigation.

Wrapping up

To prevent the improper restriction of XML External Entity (XXE) vulnerability in Adobe Commerce and other applications, ensure that all software is regularly updated with the latest security patches, and configure XML parsers to disable external entity processing and unnecessary XML features.

Implement network security measures such as strict firewall rules and intrusion detection systems and conduct regular security audits and penetration testing. Use secure and updated libraries and frameworks and provide ongoing training and awareness on secure coding practices to developers and staff.

As with any significant vulnerability, proactive measures, continuous monitoring, and regular updates are vital in safeguarding against potential exploits.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Neda Ali
Neda Ali
Product Marketing Specialist
Contributor
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.