7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8114

GHSA ID

GHSA-crv7-r357-gw3w

EPSS Score

0.77987%

CWE

CWE-434

Published

5/24/2022

Updated

2/10/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-8114

CVE-2019-8114:
Magento 2 Community Edition RCE Vulnerability

A remote code execution vulnerability exists in Magento 1 prior to 1.9.4.3 and 1.14.4.3, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with admin privileges to import features can execute arbitrary code via crafted configuration archive file upload.

As per the Magento Release 2.3.3, if you have already implemented the pre-release version of this patch (2.3.2-p1), it is highly recommended to promptly upgrade to 2.3.2-p2.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-8114

GHSA ID

GHSA-crv7-r357-gw3w

EPSS Score

0.77987%

CWE

CWE-434

Published

5/24/2022

Updated

2/10/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
magento/community-edition	composer	< 1.9.4.3	1.9.4.3
magento/community-edition	composer	>= 2.2.0, < 2.2.10	2.2.10
magento/community-edition	composer	>= 2.3.0, < 2.3.2-p2	2.3.2-p2
magento/project-community-edition	composer	< 1.9.4.3	1.9.4.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient validation during configuration archive uploads by authenticated admins. The primary entry point is the import functionality in the admin panel, which processes ZIP files. Mage_Adminhtml_System_ConfigController::importAction is directly responsible for handling these uploads, and historical Magento vulnerabilities (e.g., CVE-2019-8114) often involve improper file extraction in controllers. Mage_Dataflow_Model_Convert_Adapter_Io::save is implicated in file operations during imports; lack of validation here could allow malicious file writes. The high confidence for the controller action aligns with the CWE-434 pattern, while the dataflow adapter is a plausible secondary vector based on Magento's architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in M***nto * prior to *.*.*.* *n* *.**.*.*, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** us*r wit* **min privil***s to import ***tur*s **n *x**ut* *r*itr*ry *o** vi

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion *urin* *on*i*ur*tion *r**iv* uplo**s *y *ut**nti**t** **mins. T** prim*ry *ntry point is t** import *un*tion*lity in t** **min p*n*l, w*i** pro**ss*s ZIP *il*s. M***_**min*tml_Syst*m_*on*i**ontroll

7.2

Basic Information

Concerned about an active attack path?

CVE-2019-8114: Magento 2 Community Edition RCE Vulnerability

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-8114:
Magento 2 Community Edition RCE Vulnerability

Vulnerability Intelligence
Miggo AI