What is CVE-2019-7139?

CVE-2019-7139 is a vulnerability in Magento. Published 2019-04-10.

Is CVE-2019-7139 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Magento

CVE-2019-7139

An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. This issue is fixed in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2…

EPSS: 0.601 (98.3th percentile) — read the EPSS interpretation.

Affected products

Magento — versions prior to 2.1.17, prior to 2.2.8, prior to 2.3.1
Magento Commerce — versions prior to 1.14.4.1
Magento Open Source — versions prior to 1.9.4.1

Public proof-of-concept exploits

adhammedhat111/Magento-CVE-2019-7139-SQLi-PoC
ARPSyndicate/cve-scores
koutto/jok3r-pocs
zulloper/cve-poc

References

www.ambionics.io/blog/magento-sqli (x_refsource_MISC)
magento.com/security/patches/magento-2.3.2-2.2.9-and-2.1.18-security-update-13 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2019-7139?: CVE-2019-7139 is a vulnerability in Magento. Published 2019-04-10.
Is CVE-2019-7139 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.