Miggo Logo

CVE-2019-7139: Magento 2 Community Edition SQLi Vulnerability

9.8

CVSS Score
3.0

Basic Information

EPSS Score
0.96825%
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.182.1.18
magento/community-editioncomposer>= 2.2.0, < 2.2.92.2.9
magento/community-editioncomposer>= 2.3.0, < 2.3.22.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CWE-89) stems from improper SQL query construction in Magento's MySQL adapter. The advisory explicitly mentions a flaw in the MySQL adapter (PRODSECBUG-2198), and the unauthenticated exploitation vector suggests a public-facing endpoint passes user input directly to the database layer. The Magento\Framework\DB\Adapter\Pdo\Mysql::query method is a core SQL execution point, and improper use of raw SQL with user input (e.g., via fetchAll, query, or select methods) would enable SQL injection. The fix in patched versions likely introduced proper parameterization or escaping in this flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n un*ut**nti**t** us*r **n *x**ut* SQL st*t*m*nts t**t *llow *r*itr*ry r*** ****ss to t** un**rlyin* **t***s*, w*i** **us*s s*nsitiv* **t* l**k***. T*is issu* is *ix** in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.*, M***nto *.* prior to

Reasoning

T** vuln*r**ility (*W*-**) st*ms *rom improp*r SQL qu*ry *onstru*tion in M***nto's MySQL ***pt*r. T** **visory *xpli*itly m*ntions * *l*w in t** MySQL ***pt*r (PRO*S***U*-****), *n* t** un*ut**nti**t** *xploit*tion v**tor su***sts * pu*li*-***in* *n*