CVE-2023-41879

Vulnerability from cvelistv5

Published

2023-09-11 21:14

Modified

2024-09-26 16:55

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.

References

URL	Tags
security-advisories@github.com	https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128	Patch
security-advisories@github.com	https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877	Patch
security-advisories@github.com	https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1	Release Notes
security-advisories@github.com	https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1	Release Notes
security-advisories@github.com	https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	OpenMage	magento-lts	Version: <= 19.5.0 Version: >= 20.0.0, <= 20.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T19:09:49.294Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "magento",
            "vendor": "openmage",
            "versions": [
              {
                "lessThanOrEqual": "19.5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThanOrEqual": "20.1.0",
                "status": "affected",
                "version": "20.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-41879",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-26T16:53:59.562897Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-26T16:55:58.992Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "magento-lts",
          "vendor": "OpenMage",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 19.5.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 20.0.0, \u003c= 20.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-330",
              "description": "CWE-330: Use of Insufficiently Random Values",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-11T21:14:28.597Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
        },
        {
          "name": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
        },
        {
          "name": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
        },
        {
          "name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
        },
        {
          "name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
        }
      ],
      "source": {
        "advisory": "GHSA-9358-cpvx-c2qp",
        "discovery": "UNKNOWN"
      },
      "title": "Magento LTS\u0027s guest order \"protect code\" can be brute-forced too easily"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-41879",
    "datePublished": "2023-09-11T21:14:28.597Z",
    "dateReserved": "2023-09-04T16:31:48.223Z",
    "dateUpdated": "2024-09-26T16:55:58.992Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41879\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-11T22:15:08.267\",\"lastModified\":\"2024-11-21T08:21:50.350\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \\\"guest-view\\\" cookie which contains the order\u0027s \\\"protect_code\\\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.\"},{\"lang\":\"es\",\"value\":\"Magento LTS es el c\u00f3digo base oficial de OpenMage LTS. Los pedidos de invitados se pueden ver sin autenticaci\u00f3n utilizando una cookie de \\\"guest-view\\\" que contiene el \\\"protect_code\\\" del pedido. Este c\u00f3digo tiene 6 caracteres hexadecimales, lo que podr\u00eda decirse que no es suficiente para evitar un ataque de fuerza bruta. Exponer cada orden requerir\u00eda un ataque de fuerza bruta por separado. Este problema se solucion\u00f3 en las versiones 19.5.1 y 20.1.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*\",\"versionEndExcluding\":\"19.5.1\",\"matchCriteriaId\":\"C2C082C2-33B8-42AA-A80D-7FC64CBEA8A4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.1.1\",\"matchCriteriaId\":\"C0ACC44D-FE37-4C32-B49F-DD00D3CAA1DA\"}]}]}],\"references\":[{\"url\":\"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp\", \"name\": \"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128\", \"name\": \"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877\", \"name\": \"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1\", \"name\": \"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1\", \"name\": \"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:09:49.294Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41879\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-26T16:53:59.562897Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*\"], \"vendor\": \"openmage\", \"product\": \"magento\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"19.5.0\"}, {\"status\": \"affected\", \"version\": \"20.0.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"20.1.0\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-26T16:55:54.708Z\"}}], \"cna\": {\"title\": \"Magento LTS\u0027s guest order \\\"protect code\\\" can be brute-forced too easily\", \"source\": {\"advisory\": \"GHSA-9358-cpvx-c2qp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"OpenMage\", \"product\": \"magento-lts\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 19.5.0\"}, {\"status\": \"affected\", \"version\": \"\u003e= 20.0.0, \u003c= 20.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp\", \"name\": \"https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128\", \"name\": \"https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877\", \"name\": \"https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1\", \"name\": \"https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1\", \"name\": \"https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \\\"guest-view\\\" cookie which contains the order\u0027s \\\"protect_code\\\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-330\", \"description\": \"CWE-330: Use of Insufficiently Random Values\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-11T21:14:28.597Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-41879\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-26T16:55:58.992Z\", \"dateReserved\": \"2023-09-04T16:31:48.223Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-11T21:14:28.597Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2023-41879

Vulnerability from fkie_nvd

Published

2023-09-11 22:15

Modified

2024-11-21 08:21

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128	Patch
security-advisories@github.com	https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877	Patch
security-advisories@github.com	https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1	Release Notes
security-advisories@github.com	https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1	Release Notes
security-advisories@github.com	https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	openmage	magento	*
	openmage	magento	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "C2C082C2-33B8-42AA-A80D-7FC64CBEA8A4",
              "versionEndExcluding": "19.5.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*",
              "matchCriteriaId": "C0ACC44D-FE37-4C32-B49F-DD00D3CAA1DA",
              "versionEndExcluding": "20.1.1",
              "versionStartIncluding": "20.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1."
    },
    {
      "lang": "es",
      "value": "Magento LTS es el c\u00f3digo base oficial de OpenMage LTS. Los pedidos de invitados se pueden ver sin autenticaci\u00f3n utilizando una cookie de \"guest-view\" que contiene el \"protect_code\" del pedido. Este c\u00f3digo tiene 6 caracteres hexadecimales, lo que podr\u00eda decirse que no es suficiente para evitar un ataque de fuerza bruta. Exponer cada orden requerir\u00eda un ataque de fuerza bruta por separado. Este problema se solucion\u00f3 en las versiones 19.5.1 y 20.1.1."
    }
  ],
  "id": "CVE-2023-41879",
  "lastModified": "2024-11-21T08:21:50.350",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-11T22:15:08.267",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-330"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-9358-cpvx-c2qp

Vulnerability from github

Published

2023-09-11 20:45

Modified

2023-09-12 13:34

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Magento LTS's guest order "protect code" can be brute-forced too easily

Details

Impact

Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.

Patches

None.

Workarounds

Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (sales/guest/view/) would effectively mitigate the issue.

References

Email from Frank Rochlitzer (f.rochlitzer@b3-it.de) to security@openmage.org:

Summary

The German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test: The web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily easily guessed transaction numbers or names. Attacking entities could possibly exploit this to retrieve sensitive information using this easier-to-obtain data and by trying random numbers.

Details

Customers who place an order without an account can subsequently retrieve the order data or invoice data by specifying individual information. Technically, the access is realized by specifying the cookie guest-view. The value of the cookie is Base64 encoded and contains a random value and the order number. The random value consists of six characters, where these are taken from the alphabet [0-9a-f]. In the best case, i.e. when using a cryptographically secure random number generator, this corresponds to an entropy of 24 bits. Furthermore, the order numbers are assigned incrementally, so that the number range can be narrowed down or an upper limit determined by placing an order. Specifically, this results in the risk that an attacking entity can iterate over all possible values of the cookie's random value. If successful, the billing address, shipping address, payment details and the ordered items can be viewed. The attack only works for orders made as a guest.

PoC

The request/response pair shows the retrieval of an order. It should be noted in particular, that the cookie is not bound to a session. The response has been formatted for formatted for readability.

Request: 1 GET /magento19/index.php/default/sales/guest/view/ HTTP/1.1 2 Host: localhost.local 3 Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D; 4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 6 Accept-Language: en-US,en;q=0.5 7 Accept-Encoding: gzip, deflate 8 Referer: https://localhost.local/magento19/index.php/default/egovs_checkout/multipage/successview/ 9 Upgrade-Insecure-Requests: 1 10 Sec-Fetch-Dest: document 11 Sec-Fetch-Mode: navigate 12 Sec-Fetch-Site: same-origin 13 Sec-Fetch-User: ?1 14 Te: trailers 15 Connection: close

Response:

1 HTTP/1.1 200 OK 2 Date: Tue, 13 Dec 2022 14:06:13 GMT 3 Server: Apache 4 Strict-Transport-Security: max-age=31536000; includeSubDomains 5 X-Powered-By: PHP/7.4.6 6 Set-Cookie: om_frontend=id7v84a05u8mm1j32t2kj5rbjl; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly 7 Expires: Thu, 19 Nov 1981 08:52:00 GMT 8 Cache-Control: no-store, no-cache, must-revalidate 9 Pragma: no-cache 10 Set-Cookie: om_frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/magento19/; domain=localhost.local; secure; HttpOnly; SameSite=None 11 Set-Cookie: om_frontend=o42vttknheaj0sr3q0381jipdp; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly 12 Set-Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D; expires=Tue, 13-Dec-2022 14:16:13 GMT; Max-Age=600; path=/; domain=localhost.local; secure; HttpOnly; SameSite=None 13 X-Frame-Options: SAMEORIGIN 14 X-Content-Type-Options: nosniff 15 X-XSS-Protection: 1; mode=block 16 Referrer-Policy: same-origin 17 Feature-Policy: geolocation 'self'; vibrate 'none' 18 Content-Security-Policy: default-src 'self';script-src 'self' 'unsafe-inline' 'unsafeeval'; style-src 'self' 'unsafe-inline'; 19 Connection: close 20 Content-Type: text/html; charset=UTF-8 21 Content-Length: 47876 22 23 <!DOCTYPE html> 24 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de"> 25 […] 26 <div class="page-title"> 27 <h1>Bestellung #100000431 - Ausstehende Überweisung</h1> 28 </div> 29 […] 30 <h2 class="feature-headline">Versandadresse</h2> 31 <div class="feature-content"> 32 <address> 33 Herr Vorname Nachname<br> 34 Straße<br> 35 Dresden, Brandenburg, 01067<br> 36 Deutschland<br> 37 </address> 38 </div> 39 […] 40 <h2 class="feature-headline">Rechnungsadresse</h2> 41 <div class="feature-content"> 42 <address> 43 [color]Herr Vorname Nachname<br> 44 Straße<br> 45 Dresden, Brandenburg, 01067<br> 46 Deutschland<br>[/color] 47 </address> 48 </div> 49 […] 50 <h2 class="feature-headline">Zahlungsart</h2> 51 <div class="feature-content"> 52 <div class="block-content"> 53 Vorkasse<br> 54 <div id="bankpayment_account_info" style="font-style: italic;">Bankverbindung</div> 55 <table class="data-table fieldset"> 56 […] 57 <h2 class="sub-title"> 58 <span>Kassenzeichen: WS1712000349</span> 59 </h2> 60 <h2 class="sub-title">Bestellte Artikel</h2> 61 […] 62 <td class="order-item-product"> 63 <h3 class="product-name ellipsis-multi-line">Testprodukt Kreditkarte</h3> 64 […] 65 <span class="price">100,23 €</span> 66 […] 67 </html>

Impact

Information disclosure. Read as well as write access to sensitive information of persons or accounts and the execution of actions on their behalf must always be secured by strong authentication. This can be ensured, for example, by enforcing strong passwords or MFA. For temporary accesses to sensitive information, temporary passwords or authentication tokens or comparable data that an attacking entity cannot easily guess or determine should be used. Random values should have sufficient entropy so that searching the number space is impractical for attacking entities. Furthermore, such queries should be limited by rate limiting. The exact attack effort cannot be determined, since this requires the proportion of the proportion of orders that were placed without an account and since the performance of the performance of the production system is likely to differ from that of the test system. In a test run, 1000 requests could be made within 36 seconds. Part of the execution is shown in the screenshot. The complete search of the number space for the random value would take 6 days 23 hours 46 minutes. Accordingly, the expected value is about 3.5 days. If every third order is executed without an account, the effort must be multiplied by a factor of 3.

Mit freundlichen Grüßen

Frank Rochlitzer (github: theroch)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 19.5.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "19.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 20.1.0"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "openmage/magento-lts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "20.0.0"
            },
            {
              "fixed": "20.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41879"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-11T20:45:02Z",
    "nvd_published_at": "2023-09-11T22:15:08Z",
    "severity": "HIGH"
  },
  "details": "# Impact\n\nGuest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack.\n\n# Patches\n\nNone.\n\n# Workarounds\n\nImplementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue.\n\n# References\n\nEmail from Frank Rochlitzer (f.rochlitzer@b3-it.de) to security@openmage.org:\n\n## Summary\n\nThe German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test:\nThe web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily\neasily guessed transaction numbers or names.\nAttacking entities could possibly exploit this to retrieve sensitive information using this easier-to-obtain data and by trying random numbers.\n\n## Details\n\nCustomers who place an order without an account can subsequently retrieve the order data or invoice data by specifying individual information.\nTechnically, the access is realized by specifying the cookie guest-view. The value of the cookie is Base64 encoded and contains a random value and the order number. The random value consists of six characters, where these are taken from the alphabet [0-9a-f]. In the best case, i.e. when using a cryptographically secure random number generator, this corresponds to an entropy of 24 bits. Furthermore, the order numbers are assigned incrementally, so that the number range can be narrowed down or an upper limit determined by placing an order.\nSpecifically, this results in the risk that an attacking entity can iterate over all possible values of the cookie\u0027s random value. If successful, the billing address, shipping address, payment details and the ordered items can be viewed. The attack only works for orders made as a guest.\n\n## PoC\n\nThe request/response pair shows the retrieval of an order. It should be noted in particular, that the cookie is not bound to a session. The response has been formatted for formatted for readability.\n\nRequest:\n```\n1 GET /magento19/index.php/default/sales/guest/view/ HTTP/1.1\n2 Host: localhost.local\n3 Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D;\n4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0\n5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\n6 Accept-Language: en-US,en;q=0.5\n7 Accept-Encoding: gzip, deflate\n8 Referer: https://localhost.local/magento19/index.php/default/egovs_checkout/multipage/successview/\n9 Upgrade-Insecure-Requests: 1\n10 Sec-Fetch-Dest: document\n11 Sec-Fetch-Mode: navigate\n12 Sec-Fetch-Site: same-origin\n13 Sec-Fetch-User: ?1\n14 Te: trailers\n15 Connection: close\n```\n\nResponse:\n\n```\n1 HTTP/1.1 200 OK\n2 Date: Tue, 13 Dec 2022 14:06:13 GMT\n3 Server: Apache\n4 Strict-Transport-Security: max-age=31536000; includeSubDomains\n5 X-Powered-By: PHP/7.4.6\n6 Set-Cookie: om_frontend=id7v84a05u8mm1j32t2kj5rbjl; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly\n7 Expires: Thu, 19 Nov 1981 08:52:00 GMT\n8 Cache-Control: no-store, no-cache, must-revalidate\n9 Pragma: no-cache\n10 Set-Cookie: om_frontend=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/magento19/; domain=localhost.local; secure; HttpOnly; SameSite=None\n11 Set-Cookie: om_frontend=o42vttknheaj0sr3q0381jipdp; expires=Tue, 13-Dec-2022 15:06:13 GMT; Max-Age=3600; path=/magento19/; domain=localhost.local; secure; HttpOnly\n12 Set-Cookie: guest-view=MzYyYzI4OjEwMDAwMDQzMQ%3D%3D; expires=Tue, 13-Dec-2022 14:16:13 GMT; Max-Age=600; path=/; domain=localhost.local; secure; HttpOnly; SameSite=None\n13 X-Frame-Options: SAMEORIGIN\n14 X-Content-Type-Options: nosniff\n15 X-XSS-Protection: 1; mode=block\n16 Referrer-Policy: same-origin\n17 Feature-Policy: geolocation \u0027self\u0027; vibrate \u0027none\u0027\n18 Content-Security-Policy: default-src \u0027self\u0027;script-src \u0027self\u0027 \u0027unsafe-inline\u0027 \u0027unsafeeval\u0027;\nstyle-src \u0027self\u0027 \u0027unsafe-inline\u0027;\n19 Connection: close\n20 Content-Type: text/html; charset=UTF-8\n21 Content-Length: 47876\n22\n23 \u003c!DOCTYPE html\u003e\n24 \u003chtml xmlns=\"http://www.w3.org/1999/xhtml\" xml:lang=\"de\" lang=\"de\"\u003e\n25 [\u2026]\n26 \u003cdiv class=\"page-title\"\u003e\n27 \u003ch1\u003eBestellung #100000431 - Ausstehende \u00dcberweisung\u003c/h1\u003e\n28 \u003c/div\u003e\n29 [\u2026]\n30 \u003ch2 class=\"feature-headline\"\u003eVersandadresse\u003c/h2\u003e\n31 \u003cdiv class=\"feature-content\"\u003e\n32 \u003caddress\u003e\n33 Herr Vorname Nachname\u003cbr\u003e\n34 Stra\u00dfe\u003cbr\u003e\n35 Dresden, Brandenburg, 01067\u003cbr\u003e\n36 Deutschland\u003cbr\u003e\n37 \u003c/address\u003e\n38 \u003c/div\u003e\n39 [\u2026]\n40 \u003ch2 class=\"feature-headline\"\u003eRechnungsadresse\u003c/h2\u003e\n41 \u003cdiv class=\"feature-content\"\u003e\n42 \u003caddress\u003e\n43 [color]Herr Vorname Nachname\u003cbr\u003e\n44 Stra\u00dfe\u003cbr\u003e\n45 Dresden, Brandenburg, 01067\u003cbr\u003e\n46 Deutschland\u003cbr\u003e[/color]\n47 \u003c/address\u003e\n48 \u003c/div\u003e\n49 [\u2026]\n50 \u003ch2 class=\"feature-headline\"\u003eZahlungsart\u003c/h2\u003e\n51 \u003cdiv class=\"feature-content\"\u003e\n52 \u003cdiv class=\"block-content\"\u003e\n53 Vorkasse\u003cbr\u003e\n54 \u003cdiv id=\"bankpayment_account_info\" style=\"font-style: italic;\"\u003eBankverbindung\u003c/div\u003e\n55 \u003ctable class=\"data-table fieldset\"\u003e\n56 [\u2026]\n57 \u003ch2 class=\"sub-title\"\u003e\n58 \u003cspan\u003eKassenzeichen: WS1712000349\u003c/span\u003e\n59 \u003c/h2\u003e\n60 \u003ch2 class=\"sub-title\"\u003eBestellte Artikel\u003c/h2\u003e\n61 [\u2026]\n62 \u003ctd class=\"order-item-product\"\u003e\n63 \u003ch3 class=\"product-name ellipsis-multi-line\"\u003eTestprodukt Kreditkarte\u003c/h3\u003e\n64 [\u2026]\n65 \u003cspan class=\"price\"\u003e100,23 \u20ac\u003c/span\u003e\n66 [\u2026]\n67 \u003c/html\u003e\n```\n\n## Impact\n\nInformation disclosure.\nRead as well as write access to sensitive information of persons or accounts and the execution of actions on their behalf must always be secured by strong authentication. This can be ensured, for example, by enforcing strong passwords or MFA.\nFor temporary accesses to sensitive information, temporary passwords or\nauthentication tokens or comparable data that an attacking entity cannot easily guess or determine should be used. Random values should have sufficient entropy so that searching the number space is impractical for attacking entities.\nFurthermore, such queries should be limited by rate limiting.\nThe exact attack effort cannot be determined, since this requires the proportion of\nthe proportion of orders that were placed without an account and since the performance of the\nperformance of the production system is likely to differ from that of the test system.\nIn a test run, 1000 requests could be made within 36 seconds. Part of the execution is shown in the screenshot. The complete search of the number space for the random value would take 6 days 23 hours 46 minutes. Accordingly, the expected value is about 3.5 days. If every third order is executed without an account, the effort must be multiplied by a factor of 3.\n\nMit freundlichen Gr\u00fc\u00dfen\n\nFrank Rochlitzer (github: theroch)\n",
  "id": "GHSA-9358-cpvx-c2qp",
  "modified": "2023-09-12T13:34:48Z",
  "published": "2023-09-11T20:45:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41879"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenMage/magento-lts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Magento LTS\u0027s guest order \"protect code\" can be brute-forced too easily"
}

gsd-2023-41879

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-41879

Aliases

CVE-2023-41879

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-41879",
    "id": "GSD-2023-41879"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-41879"
      ],
      "details": "Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1.",
      "id": "GSD-2023-41879",
      "modified": "2023-12-13T01:20:45.505581Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-41879",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "magento-lts",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c= 19.5.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 20.0.0, \u003c= 20.1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "OpenMage"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-330",
                "lang": "eng",
                "value": "CWE-330: Use of Insufficiently Random Values"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp",
            "refsource": "MISC",
            "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128",
            "refsource": "MISC",
            "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877",
            "refsource": "MISC",
            "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1",
            "refsource": "MISC",
            "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
          },
          {
            "name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1",
            "refsource": "MISC",
            "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-9358-cpvx-c2qp",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "20.1.1",
                "versionStartIncluding": "20.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:openmage:magento:*:*:*:*:lts:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "19.5.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-41879"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Magento LTS is the official OpenMage LTS codebase. Guest orders may be viewed without authentication using a \"guest-view\" cookie which contains the order\u0027s \"protect_code\". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. This issue has been patched in versions 19.5.1 and 20.1.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-330"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/OpenMage/magento-lts/releases/tag/v19.5.1"
            },
            {
              "name": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/OpenMage/magento-lts/commit/31e74ac5d670b10001f88f038046b62367f15877"
            },
            {
              "name": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/OpenMage/magento-lts/commit/2a2a2fb504247e8966f8ffc2e17d614be5d43128"
            },
            {
              "name": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/OpenMage/magento-lts/security/advisories/GHSA-9358-cpvx-c2qp"
            },
            {
              "name": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/OpenMage/magento-lts/releases/tag/v20.1.1"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-09-15T17:30Z",
      "publishedDate": "2023-09-11T22:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2023-41879

Vulnerability from cvelistv5

fkie_cve-2023-41879

Vulnerability from fkie_nvd

ghsa-9358-cpvx-c2qp

Vulnerability from github

Impact

Patches

Workarounds

References

Summary

Details

PoC

Impact

gsd-2023-41879

Vulnerability from gsd

Tags

Sightings

Nomenclature