Miggo Logo
Miggo Vulnerability Database
CVE-2019-8136

CVE-2019-8136: Magento 2 Community Edition Insecure Component

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-8136
GHSA ID
GHSA-xgcp-59g2-wm8g
EPSS Score
0.40057%
CWE
-
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Magento 2's use of outdated Symfony components for HTTP specification abstraction. However, the provided sources (CVE description, GitHub advisory, NVD entry, and Magento security notice) do not explicitly name specific vulnerable functions or file paths. The core issue appears to be in dependency management (using vulnerable Symfony versions) rather than Magento's own functions. Without access to commit diffs, patch details, or explicit documentation linking to specific Magento functions that improperly implemented the Symfony components, we cannot confidently identify exact vulnerable functions. The remediation involved updating Symfony dependencies rather than patching specific Magento functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ins**ur* *ompon*nt vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. M***nto * *o****s* l*v*r**** out**t** v*rsions o* *TTP sp**i*i**tion **str**tion impl*m*nt** in symp*ony *ompon*nt.

Reasoning

T** vuln*r**ility st*ms *rom M***nto *'s us* o* out**t** Sym*ony *ompon*nts *or *TTP sp**i*i**tion **str**tion. *ow*v*r, t** provi*** sour**s (*V* **s*ription, *it*u* **visory, NV* *ntry, *n* M***nto s**urity noti**) *o not *xpli*itly n*m* sp**i*i* v