-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability description explicitly mentions weak IV generation in security contexts. Magento's encryption stack centralizes IV generation in Encryptor class. The 'generateIv' method would be responsible for this operation. Patched versions (2.1.18, 2.2.9, 2.3.2) likely replaced insecure IV generation (e.g., using mt_rand() or MCRYPT_DEV_URANDOM) with cryptographically secure methods like random_bytes(). While no direct code is shown, the CWE-330 alignment and Magento's architecture make this the most probable location.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
| magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
| magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
PHPPHPOngoing coverage of React2Shell