CVE-2019-7139: Magento 2 Community Edition SQLi Vulnerability
9.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.96825%
CWE
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.1.0, < 2.1.18 | 2.1.18 |
magento/community-edition | composer | >= 2.2.0, < 2.2.9 | 2.2.9 |
magento/community-edition | composer | >= 2.3.0, < 2.3.2 | 2.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CWE-89) stems from improper SQL query construction in Magento's MySQL adapter. The advisory explicitly mentions a flaw in the MySQL adapter (PRODSECBUG-2198), and the unauthenticated exploitation vector suggests a public-facing endpoint passes user input directly to the database layer. The Magento\Framework\DB\Adapter\Pdo\Mysql::query
method is a core SQL execution point, and improper use of raw SQL with user input (e.g., via fetchAll
, query
, or select
methods) would enable SQL injection. The fix in patched versions likely introduced proper parameterization or escaping in this flow.