CVE-2024-34110
Published: 13 June 2024
Summary
CVE-2024-34110 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Adobe Commerce. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an unrestricted file upload vulnerability of dangerous type, tracked as CVE-2024-34110 and CWE-434. The flaw permits arbitrary code execution when a malicious file is placed on the system and carries a CVSS 3.1 score of 7.2 reflecting network-accessible attack with high impact on confidentiality, integrity, and availability.
A high-privilege attacker can exploit the issue without user interaction by uploading a crafted file that the application subsequently executes, resulting in full control over the affected Commerce instance.
The official Adobe advisory at https://helpx.adobe.com/security/products/magento/apsb24-40.html addresses the affected Magento-based releases and is the authoritative source for patch information. The associated EPSS score has remained flat at 0.0566 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34633
Vulnerability details
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution. A high-privilege attacker could exploit this vulnerability by uploading a malicious file…
more
to the system, which could then be executed. Exploitation of this issue does not require user interaction.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.