Adobe Commerce/Magento "CosmicSting" XXE (CVE-2024-34102)
Description
Adobe Commerce and Magento contain a critical XML External Entity (XXE) injection vulnerability that allows remote attackers to process malicious XML input without authentication. Attackers can exploit this flaw to extract sensitive files from the server's filesystem, perform server-side request forgery (SSRF) attacks to access internal systems, or cause denial-of-service conditions. When chained with CVE-2024-2961, this vulnerability can be escalated to achieve remote code execution, making it particularly dangerous.
Remediation
Apply security patches immediately by upgrading to the following versions or later:<br/><br/><strong>Adobe Commerce:</strong><br/>- Version 2.4.7-p1 or later<br/>- Version 2.4.6-p6 or later<br/>- Version 2.4.5-p8 or later<br/>- Version 2.4.4-p9 or later<br/><br/><strong>Magento Open Source:</strong><br/>- Version 2.4.7-p1 or later<br/>- Version 2.4.6-p6 or later<br/>- Version 2.4.5-p8 or later<br/>- Version 2.4.4-p9 or later<br/><br/>If immediate patching is not possible, implement the following temporary mitigations:<br/>1. Restrict access to the affected endpoints at the web application firewall or load balancer level<br/>2. Monitor logs for suspicious XML processing activity and requests to external domains<br/>3. Disable XML external entity processing in PHP configuration if not required for business operations<br/><br/>After patching, verify the fix by testing that external entity references in XML input are properly rejected.