CVE-2020-24402 - OpenCVE

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Magento	Magento

Configuration 1 [-]

OR	cpe:2.3:a:magento:magento:::::commerce:::*
	cpe:2.3:a:magento:magento:::::open_source:::*
	cpe:2.3:a:magento:magento:2.3.5:-:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.5:-:::open_source:::*
	cpe:2.3:a:magento:magento:2.3.5:p1:::commerce:::*
	cpe:2.3:a:magento:magento:2.3.5:p1:::open_source:::*
	cpe:2.3:a:magento:magento:2.4.0::::commerce:::
	cpe:2.3:a:magento:magento:2.4.0::::open_source:::

No data.

References

Link	Providers
https://helpx.adobe.com/security/products/magento/apsb20-59.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2020-11-09T00:39:15.182126Z

Updated: 2024-09-16T19:04:11.706Z

Reserved: 2020-08-19T00:00:00

Link: CVE-2020-24402

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-11-09T01:15:12.490

Modified: 2022-08-19T11:48:08.007

Link: CVE-2020-24402

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Magento Commerce", "vendor": "Adobe", "versions": [{"lessThanOrEqual": "2.4.0", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "2.3.5p1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThanOrEqual": "None", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2020-10-01T00:00:00", "descriptions": [{"lang": "en", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "Incorrect Default Permissions (CWE-276)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-17T20:57:10", "orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}], "source": {"discovery": "EXTERNAL"}, "title": "Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@adobe.com", "DATE_PUBLIC": "2020-10-01T23:00:00.000Z", "ID": "CVE-2020-24402", "STATE": "PUBLIC", "TITLE": "Incorrect permissions in the Integrations component could lead to unauthorized deletion of customer details via REST API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Magento Commerce", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.4.0"}, {"version_affected": "<=", "version_value": "2.3.5p1"}, {"version_affected": "<=", "version_value": "None"}, {"version_affected": "<=", "version_value": "None"}]}}]}, "vendor_name": "Adobe"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization."}]}, "impact": {"cvss": {"attackComplexity": "Low", "attackVector": "Network", "availabilityImpact": "None", "baseScore": 4.9, "baseSeverity": "Medium", "confidentialityImpact": "None", "integrityImpact": "High", "privilegesRequired": "High", "scope": "Unchanged", "userInteraction": "None", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Incorrect Default Permissions (CWE-276)"}]}]}, "references": {"reference_data": [{"name": "https://helpx.adobe.com/security/products/magento/apsb20-59.html", "refsource": "MISC", "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:12:08.687Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}]}]}, "cveMetadata": {"assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "assignerShortName": "adobe", "cveId": "CVE-2020-24402", "datePublished": "2020-11-09T00:39:15.182126Z", "dateReserved": "2020-08-19T00:00:00", "dateUpdated": "2024-09-16T19:04:11.706Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:commerce:*:*:*", "matchCriteriaId": "E0A4B080-331A-45E2-85A7-ED717F6EAA53", "versionEndExcluding": "2.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:*:*:*:*:open_source:*:*:*", "matchCriteriaId": "64E6568D-2E8F-4E7F-9DEE-96B64D8AF769", "versionEndExcluding": "2.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:-:*:*:commerce:*:*:*", "matchCriteriaId": "5C6FC988-E98F-45F1-9FED-426BD70B9EED", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:-:*:*:open_source:*:*:*", "matchCriteriaId": "8FA0AF98-C822-4419-B4ED-E74AB5A740D1", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:p1:*:*:commerce:*:*:*", "matchCriteriaId": "781C23A0-98B7-4893-97E4-AADA97AF2DF1", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.3.5:p1:*:*:open_source:*:*:*", "matchCriteriaId": "F43338E3-3C5B-4923-87A1-057AD501BD28", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:commerce:*:*:*", "matchCriteriaId": "8B564171-2253-412F-B936-8FEA1074BBBE", "vulnerable": true}, {"criteria": "cpe:2.3:a:magento:magento:2.4.0:*:*:*:open_source:*:*:*", "matchCriteriaId": "446F9B89-3455-46F4-A7B0-CCA7857E0FC4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component. This vulnerability could be abused by authenticated users with permissions to the Resource Access API to delete customer details via the REST API without authorization."}, {"lang": "es", "value": "Magento versiones 2.4.0 y 2.3.5p1 (y anteriores) est\u00e1n afectadas por una vulnerabilidad de permisos incorrectos en el componente Integrations. Los usuarios autenticados con permisos para la API Resource Access podr\u00edan abusar de esta vulnerabilidad para eliminar los detalles del cliente por medio de la API REST sin autorizaci\u00f3n"}], "id": "CVE-2020-24402", "lastModified": "2022-08-19T11:48:08.007", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "psirt@adobe.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2020-11-09T01:15:12.490", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/magento/apsb20-59.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "psirt@adobe.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Secondary"}]}