Miggo Logo

CVE-2019-8137: Magento 2 Community Edition RCE Vulnerability

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.66724%
CWE
-
Published
5/24/2022
Updated
2/2/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer>= 2.2.0, < 2.2.102.2.10
magento/community-editioncomposer>= 2.3.0, < 2.3.2-p12.3.2-p1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from processing untrusted input in custom layout updates. Historical analysis shows Magento's widget template filter had deserialization vulnerabilities (CVE-2016-4010), and the layout merge process is a core component handling user-provided XML. Though exact patch details are unavailable, these components align with the described attack vector (CMS layout manipulation leading to RCE). The high confidence in Filter::generateWidget comes from its known unsafe unserialize() usage in widget parameters, while Merge::load gets medium confidence as the primary entry point for processing custom layout XML.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r*mot* *o** *x**ution vuln*r**ility *xists in M***nto *.* prior to *.*.**, M***nto *.* prior to *.*.* or *.*.*-p*. *n *ut**nti**t** us*r wit* privil***s to m*nipul*t* *MS s**tion o* t** w**sit* **n tri***r r*mot* *o** *x**ution vi* *ustom l*yout up

Reasoning

T** vuln*r**ility st*ms *rom pro**ssin* untrust** input in *ustom l*yout up**t*s. *istori**l *n*lysis s*ows M***nto's wi***t t*mpl*t* *ilt*r *** **s*ri*liz*tion vuln*r**iliti*s (*V*-****-****), *n* t** l*yout m*r** pro**ss is * *or* *ompon*nt **n*lin