CVE-2024-34102 — Magento Open Source affected by an Improper Restriction of XML External Entity R

Description

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

How to fix CVE-2024-34102

To remediate CVE-2024-34102, upgrade the affected package to a fixed version below.

—upgrade to 2.4.7-p1 or later
—no fix listed

Is CVE-2024-34102 being exploited?

Yes — CVE-2024-34102 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (2)

>= 2.4.7-alpha0, < 2.4.7-p1, >= 2.4.6-alpha0, < 2.4.6-p6, >= 2.4.5-alpha0, < 2.4.5-p8, >= 2.4.4-alpha0, < 2.4.4-p9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-34102
PATCHgithub.com/magento/magento2
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/magento/product-community-edition/CVE-2024-34102.yaml
WEBgithub.com/magento/magento2/commit/30877fce83b793f71421c47347885cf076e81799