Miggo Logo

CVE-2019-8118: Magento 2 Community Edition Weak Cryptography

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.1422%
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.1.0, < 2.1.192.1.19
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.32.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insecure cryptographic practices in tracking failed logins. Magento's customer authentication subsystem would logically handle this via the Authentication model. The CWE-312 alignment suggests either cleartext storage or weak encryption. While exact pre-patch code isn't available, historical context indicates MD5 usage for lockout hashes was a common Magento flaw. The Encryptor class is included with medium confidence because its misuse (e.g., weak algorithm selection) would directly enable this vulnerability, though the exact flawed implementation isn't verifiable without patch diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* us*s w**k *rypto*r*p*i* *un*tion to stor* t** **il** lo*in *tt*mpts *or *ustom*r ***ounts.

Reasoning

T** vuln*r**ility st*ms *rom ins**ur* *rypto*r*p*i* pr**ti**s in tr**kin* **il** lo*ins. M***nto's *ustom*r *ut**nti**tion su*syst*m woul* lo*i**lly **n*l* t*is vi* t** *ut**nti**tion mo**l. T** *W*-*** *li*nm*nt su***sts *it**r *l**rt*xt stor*** or