GHSA-2fhr-f6q6-c4p2

Suggest an improvement
Source
https://github.com/advisories/GHSA-2fhr-f6q6-c4p2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2fhr-f6q6-c4p2/GHSA-2fhr-f6q6-c4p2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2fhr-f6q6-c4p2
Aliases
Published
2022-05-24T16:52:29Z
Modified
2024-02-02T17:16:39.227866Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Magento 2 Community Edition Access Control Bypass
Details

An access control bypass vulnerability exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An unauthenticated user can bypass access controls via REST API calls to assign themselves to an arbitrary company, thereby gaining read access to potentially confidental information.

Database specific
{
    "nvd_published_at": "2019-08-02T22:15:00Z",
    "cwe_ids": [
        "CWE-639"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-17T18:42:33Z"
}
References

Affected packages

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.18

Affected versions

2.*

2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.1.10
2.1.11
2.1.12
2.1.13
2.1.14
2.1.15
2.1.16
2.1.17

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2.0
Fixed
2.2.9

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8

Packagist / magento/community-edition

Package

Name
magento/community-edition
Purl
pkg:composer/magento/community-edition

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.2

Affected versions

2.*

2.3.0
2.3.1