Miggo Logo

CVE-2021-39217: Fix for arbitrary command execution in custom layout update through blocks

7.2

CVSS Score
3.1

Basic Information

EPSS Score
0.44974%
Published
1/27/2023
Updated
2/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
openmage/magento-ltscomposer< 19.4.2219.4.22
openmage/magento-ltscomposer>= 20.0.0, < 20.0.1920.0.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient validation in the validateAgainstBlockMethodBlacklist method. The original code compared the full 'BlockClass::method' string, which could be bypassed by injecting a different block class name while retaining the forbidden method name. The patch modifies this logic to extract only the method name after '::', ensuring proper validation. Since this function is directly responsible for blocking dangerous block methods, its flawed implementation allowed command injection. The commit diff and CWE-77 context confirm this is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ustom L*yout *n**l** **min us*rs to *x**ut* *r*itr*ry *omm*n*s vi* *lo*k m*t*o*s.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt v*li**tion in t** `v*li**t****inst*lo*kM*t*o**l**klist` m*t*o*. T** ori*in*l *o** *omp*r** t** *ull '*lo*k*l*ss::m*t*o*' strin*, w*i** *oul* ** *yp*ss** *y inj**tin* * *i***r*nt *lo*k *l*ss n*m* w*il* r*t*ini