CVE-2019-8137: Magento 2 Community Edition RCE Vulnerability
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.66724%
CWE
-
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
magento/community-edition | composer | >= 2.2.0, < 2.2.10 | 2.2.10 |
magento/community-edition | composer | >= 2.3.0, < 2.3.2-p1 | 2.3.2-p1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from processing untrusted input in custom layout updates. Historical analysis shows Magento's widget template filter had deserialization vulnerabilities (CVE-2016-4010), and the layout merge process is a core component handling user-provided XML. Though exact patch details are unavailable, these components align with the described attack vector (CMS layout manipulation leading to RCE). The high confidence in Filter::generateWidget
comes from its known unsafe unserialize()
usage in widget parameters, while Merge::load
gets medium confidence as the primary entry point for processing custom layout XML.