Cyber Resilience

CVE-2021-28583

High

Published: 28 June 2021

Published
28 June 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0053 67.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-28583 is a high-severity Violation of Secure Design Principles (CWE-657) vulnerability in Magento Magento. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 32.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of Secure Design Principles vulnerability in RMA PDF filename formats. Successful exploitation could allow an attacker to get unauthorized access to restricted resources.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

magento
magento
2.3.6, 2.4.1, 2.4.2 · ≤ 2.3.6 · ≤ 2.3.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-657

Establishing and updating awareness policy promotes adherence to secure design principles through ongoing training, preventing related violations.

addresses: CWE-657

Mandating the policy be consistent with laws, standards, and guidelines enforces secure design principles in security governance and oversight.

addresses: CWE-657

Deficiencies violating secure design principles are tracked and corrected through planned actions, limiting attacker opportunities from design flaws.

addresses: CWE-657

Documenting, disseminating, and periodically reviewing maintenance policies and procedures enforces core secure design principles for system maintenance activities.

addresses: CWE-657

Documented policy with defined scope, roles, responsibilities, and periodic review directly enforces secure design principles and management commitment.

addresses: CWE-657

Baseline selection enforces adherence to established secure-design principles rather than ad-hoc or insufficient control choices.

addresses: CWE-657

Requires risk determinations for architecture/design decisions, tailoring rationale, and alignment with enterprise architecture to avoid violations of secure design principles.

addresses: CWE-657

Regular SSP updates force review of whether the system's evolving design continues to follow documented secure design principles after changes.

References