CVE-2021-21426
Last modified
CVE-2021-21426 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. EPSS estimates a 1.20% chance of exploitation in the next 30 days.
Description
Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openmage | Magento | < 19.4.13 |
| Openmage | Magento | >= 20.0.0, < 20.0.9 |
References
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98cThird Party Advisory
- https://github.com/OpenMage/magento-lts/security/advisories/GHSA-m496-x567-f98cThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-21426?
How severe is CVE-2021-21426?
How do I fix CVE-2021-21426?
Are you affected by CVE-2021-21426?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST