CVE-2020-5777: Improper Authentication

September 1, 2020 (updated September 8, 2020)

MAGMI is vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections where the default is and is lower than Apache (or another web server) setting for MaxRequestWorkers, formerly MaxClients, where the default is This can be done by sending at least simultaneous requests to the Magento website to trigger a Too many connections error, then use default magmi:magmi basic authentication to remotely bypass authentication.

References

nvd.nist.gov/vuln/detail/CVE-2020-5777

Code Behaviors & Features

Detect and mitigate CVE-2020-5777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →