CVE-2019-8141: Deserialization of Untrusted Data

May 24, 2022 (updated July 18, 2023)

A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with administrative privileges (system level import) can execute arbitrary code through a Phar deserialization vulnerability in the import functionality.

References

github.com/advisories/GHSA-9wr9-fw9v-8fgr
nvd.nist.gov/vuln/detail/CVE-2019-8141
web.archive.org/web/20220121051105/https://magento.com/security/patches/magento-2.3.3-and-2.2.10-security-update

Code Behaviors & Features

Detect and mitigate CVE-2019-8141 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →