6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-13761

GHSA ID

GHSA-vpq9-c67q-23fq

EPSS Score

0.58456%

CWE

CWE-200

Published

5/17/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-13761

CVE-2017-13761:
Fastly Magento2 sensitive information disclosure

The Fastly CDN module before 1.2.26 for Magento2, when used with a third-party authentication plugin, might allow remote authenticated users to obtain sensitive information from authenticated sessions via vectors involving caching of redirect responses.

(GitHub Advisory)

6.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-13761

GHSA ID

GHSA-vpq9-c67q-23fq

EPSS Score

0.58456%

CWE

CWE-200

Published

5/17/2022

Updated

4/24/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
fastly/magento2	composer	< 1.2.26	1.2.26

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper cache control headers on authentication-related redirect responses. The primary suspect is response handling logic that determines caching behavior (VclPlugin::afterRenderResult) and VCL generation logic (Config::getVclSnippets). These components would directly influence whether authentication redirects are cached. The high confidence in VclPlugin stems from Magento's typical response modification patterns, while VCL generation gets medium confidence due to inherent CDN configuration linkage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **stly **N mo*ul* ***or* *.*.** *or M***nto*, w**n us** wit* * t*ir*-p*rty *ut**nti**tion plu*in, mi**t *llow r*mot* *ut**nti**t** us*rs to o*t*in s*nsitiv* in*orm*tion *rom *ut**nti**t** s*ssions vi* v**tors involvin* ****in* o* r**ir**t r*spons

Reasoning

T** vuln*r**ility st*ms *rom improp*r ***** *ontrol *****rs on *ut**nti**tion-r*l*t** r**ir**t r*spons*s. T** prim*ry susp**t is r*spons* **n*lin* lo*i* t**t **t*rmin*s ****in* ****vior (`V*lPlu*in::**t*rR*n**rR*sult`) *n* V*L **n*r*tion lo*i* (`*on*

6.5

Basic Information

Concerned about an active attack path?

CVE-2017-13761: Fastly Magento2 sensitive information disclosure

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-13761:
Fastly Magento2 sensitive information disclosure

Vulnerability Intelligence
Miggo AI