What is CVE-2021-39217?

CVE-2021-39217 is a high-severity vulnerability in Openmage Magento-lts, classified under Command Injection. CVSS score: 7.2/10. Published 2023-01-27.

How severe is CVE-2021-39217?

High severity. CVSS v3 base score is 7.2 out of 10.

RCE in Openmage Magento-lts

CVE-2021-39217

OpenMage LTS is an e-commerce platform. Prior to versions 19.4.22 and 20.0.19, Custom Layout enabled admin users to execute arbitrary commands via block methods. Versions 19.4.22 and 20.0.19 contain patches for this issue.

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.007 (73.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Openmage Magento-lts — versions < 19.4.22, >= 20.0.0, < 20.0.19

Weakness classification (CWE)

CWE-77 — Command Injection

References

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-c9q3-r4rv-mjm7 (x_refsource_CONFIRM)
https://github.com/OpenMage/magento-lts/commit/289bd4b4f53622138e3e5c2d2cef7502d780086f (x_refsource_MISC)
https://github.com/OpenMage/magento-lts/releases/tag/v19.4.22 (x_refsource_MISC)
https://github.com/OpenMage/magento-lts/releases/tag/v20.0.19 (x_refsource_MISC)

Frequently asked questions

What is CVE-2021-39217?: CVE-2021-39217 is a high-severity vulnerability in Openmage Magento-lts, classified under Command Injection. CVSS score: 7.2/10. Published 2023-01-27.
How severe is CVE-2021-39217?: High severity. CVSS v3 base score is 7.2 out of 10.