CVE-2021-21012 - OpenCVE

Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Adobe	Magento Open Source Magento Commerce

Configuration 1 [-]

OR	cpe:2.3:a:adobe:magento_commerce::::::::
	cpe:2.3:a:adobe:magento_commerce:2.4.0:::::::*
	cpe:2.3:a:adobe:magento_commerce:2.4.0:p1::::::
	cpe:2.3:a:adobe:magento_commerce:2.4.1:::::::*
	cpe:2.3:a:adobe:magento_open_source::::::::
	cpe:2.3:a:adobe:magento_open_source:2.4.0:::::::*
	cpe:2.3:a:adobe:magento_open_source:2.4.0:p1::::::
	cpe:2.3:a:adobe:magento_open_source:2.4.1:::::::*

References

Link	Resource
https://helpx.adobe.com/security/products/magento/apsb21-08.html	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: adobe

Published: 2021-02-09T00:00:00

Updated: 2022-08-17T21:00:03

Reserved: 2020-12-18T00:00:00

Link: CVE-2021-21012

JSON object: View

NVD Information

Status : Modified

Published: 2021-01-13T23:15:14.400

Modified: 2023-11-07T03:29:15.177

Link: CVE-2021-21012

JSON object: View

Redhat Information

No data.

CWE

CWE-639

{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.4.0-p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.6", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-02-09T00:00:00", "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key (CWE-639)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-17T21:00:03", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2021-02-09T23:00:00.000Z", "ID": "CVE-2021-21012", "STATE": "PUBLIC", "TITLE": "Magento Commerce Insecure Direct Object Reference Vulnerability Could Lead To Sensitive Information Disclosure"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.1"}, {"version_affected": "<=", "version_value": "2.4.0-p1"}, {"version_affected": "<=", "version_value": "2.3.6"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."}]}, "impact": {"cvss": {"attackComplexity": "None", "attackVector": "None", "availabilityImpact": "None", "baseScore": 5.3, "baseSeverity": "Medium", "confidentialityImpact": "None", "integrityImpact": "None", "privilegesRequired": "None", "scope": "None", "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Authorization Bypass Through User-Controlled Key (CWE-639)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb21-08.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}]}, "source": {"discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2021-21012", "datePublished": "2021-02-09T00:00:00", "dateReserved": "2020-12-18T00:00:00", "dateUpdated": "2022-08-17T21:00:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:magento_commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "1DC7DD78-8F03-48F0-B0B9-CFA2A5688C68", "versionEndIncluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_commerce:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "929B3E3E-C779-4450-B44A-558A8B558C25", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_commerce:2.4.0:p1:*:*:*:*:*:*", "matchCriteriaId": "4E2DABEE-A259-44AC-894F-030F8B208D2A", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_commerce:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "CE41A2C2-4A58-4AF4-BC43-42DB7E33933C", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F4D60F4-33B9-40FE-B165-C049014C49E5", "versionEndIncluding": "2.3.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1B94967-3ADF-4C8E-81B8-BB3D506F415E", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.0:p1:*:*:*:*:*:*", "matchCriteriaId": "2B32F980-5FA7-455F-8DC0-E6484CD72096", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:magento_open_source:2.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "65174537-3A50-4E08-9CBE-9D84B4CC414B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Magento versions 2.4.1 (and earlier), 2.4.0-p1 (and earlier) and 2.3.6 (and earlier) are vulnerable to an insecure direct object vulnerability (IDOR) in the checkout module. Successful exploitation could lead to sensitive information disclosure."}, {"lang": "es", "value": "Las versiones de Magento 2.4.1 (y anteriores), 2.4.0-p1 (y anteriores) y 2.3.6 (y anteriores) son vulnerables a una vulnerabilidad de objeto directo inseguro (IDOR) en el m\u00f3dulo de pago. Una explotaci\u00f3n exitosa podr\u00eda llevar a la divulgaci\u00f3n de informaci\u00f3n sensible"}], "id": "CVE-2021-21012", "lastModified": "2023-11-07T03:29:15.177", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2021-01-13T23:15:14.400", "references": [{"source": "psirt@adobe.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb21-08.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "psirt@adobe.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Secondary"}]}