CVE-2019-7898: Magento 2 Community Edition Information Disclosure
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.18521%
CWE
Published
5/24/2022
Updated
2/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.1, < 2.1.18 | 2.1.18 |
magento/community-edition | composer | >= 2.2, < 2.2.9 | 2.2.9 |
magento/community-edition | composer | >= 2.3, < 2.3.2 | 2.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing product status validation when accessing downloadable product samples. In Magento's architecture:
- The Sample controller's execute() method handles download requests, making it the primary entry point where input validation (product ID + status check) should occur
- The Download helper's resource retrieval is a secondary validation layer that would need to confirm product availability
Though exact patch code isn't shown, the CWE-20 classification and Magento's security bulletin both indicate these core input processing points would require modifications to add product status checks. The medium confidence reflects educated inference based on Magento's pattern of handling downloadable products and typical vulnerability patterns in controller actions.