Authorization Bypass Through User-Controlled Key

CVE-2021-36032

High

8.8/10

Summary

Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 (and earlier) are affected by an improper input validation vulnerability. An authenticated attacker can trigger an insecure direct object reference in the `V1/customers/me` endpoint to achieve information exposure and privilege escalation.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-639 - Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

Advisory Timeline

Published Sep 01, 2021

Authorization Bypass Through User-Controlled Key

CVE-2021-36032

Summary

CWE-639 - Authorization Bypass Through User-Controlled Key

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS