CVE-2024-20720:OS command injection vulnerability in Adobe Commerce data collector backup could allow arbitrary code execution on affected versions (2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier) without user interaction (CVE-2024-20720).

splash
Back

Description Preview

Adobe Commerce versions 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction and can be triggered over the network. The issue is tracked as CVE-2024-20720 and is tied to the data collector backup process. The published CVSS v3.1 base score is 9.1 (CRITICAL), with network access, low attack complexity, and high impact to confidentiality, integrity, and availability. The root cause is described as insufficient patching of CVE-2023-38208, per Adobe's APSB24-03 advisory. This vulnerability creates a severe risk of remote takeover and data compromise for exposed Adobe Commerce deployments.

Overview

This vulnerability exposes Adobe Commerce installations to remote, unauthenticated code execution via the data collector backup mechanism. It affects multiple 2.x release lines (including 2.4.6-p3, 2.4.5-p5, 2.4.4-p6 and earlier) and is classified as CRITICAL with CVSS v3.1 metrics indicating network-based exploitation, low complexity, required high privileges, and impacts across confidentiality, integrity, and availability. The issue stems from improper handling of input in a component related to OS command execution and is associated with prior patching gaps for CVE-2023-38208. Mitigation relies on applying the vendor-supplied patch described in APSB24-03 and upgrading to a fixed Adobe Commerce release.

Remediation

  • Apply the Adobe advisory patch (ASPB24-03) and upgrade Adobe Commerce to a fixed release as recommended by Adobe. Verify that the installed version is no longer affected.
  • If an immediate upgrade is not possible, implement a temporary workaround to mitigate exposure, such as disabling or restricting the data collector backup functionality and limiting network access to the Adobe Commerce instance.
  • After patching, re-scan the environment and verify that the vulnerability is resolved; confirm that the data collector backup component no longer allows OS command execution.
  • Review access controls, monitor for anomalous backup activity, and ensure the underlying OS and dependencies are up to date.
  • Establish or improve patch management and change-control processes to prevent regression from similar patching gaps in the future.

References

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Retail Trade: Low
    Retail Trade
  2. Accommodation & Food Services: Low
    Accommodation & Food Services
  3. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  4. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  5. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  6. Construction: Low
    Construction
  7. Educational Services: Low
    Educational Services
  8. Finance and Insurance: Low
    Finance and Insurance
  9. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  10. Information: Low
    Information
  11. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  12. Manufacturing: Low
    Manufacturing
  13. Mining: Low
    Mining
  14. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  15. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  16. Public Administration: Low
    Public Administration
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background