CVE-2020-9579: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 24, 2022 (updated January 11, 2024)

Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a security mitigation bypass vulnerability. Successful exploitation could lead to arbitrary code execution.

References

github.com/advisories/GHSA-vrp3-wc28-qg2h
github.com/magento/magento2/commit/52d92dbd07f09620d23693ba0c4d4bdb4ba09916
helpx.adobe.com/security/products/magento/apsb20-22.html
nvd.nist.gov/vuln/detail/CVE-2020-9579

Code Behaviors & Features

Detect and mitigate CVE-2020-9579 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →