CVE-2019-8118: Magento 2 Community Edition Weak Cryptography
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.1422%
CWE
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.1.0, < 2.1.19 | 2.1.19 |
magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
magento/community-edition | composer | >= 2.3.0, < 2.3.3 | 2.3.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insecure cryptographic practices in tracking failed logins. Magento's customer authentication subsystem would logically handle this via the Authentication model. The CWE-312 alignment suggests either cleartext storage or weak encryption. While exact pre-patch code isn't available, historical context indicates MD5 usage for lockout hashes was a common Magento flaw. The Encryptor class is included with medium confidence because its misuse (e.g., weak algorithm selection) would directly enable this vulnerability, though the exact flawed implementation isn't verifiable without patch diffs.