CVE-2021-39217: Fix for arbitrary command execution in custom layout update through blocks
7.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44974%
CWE
Published
1/27/2023
Updated
2/6/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
openmage/magento-lts | composer | < 19.4.22 | 19.4.22 |
openmage/magento-lts | composer | >= 20.0.0, < 20.0.19 | 20.0.19 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from insufficient validation in the validateAgainstBlockMethodBlacklist
method. The original code compared the full 'BlockClass::method' string, which could be bypassed by injecting a different block class name while retaining the forbidden method name. The patch modifies this logic to extract only the method name after '::', ensuring proper validation. Since this function is directly responsible for blocking dangerous block methods, its flawed implementation allowed command injection. The commit diff and CWE-77 context confirm this is the root cause.