Cyber Resilience

CVE-2024-39397

Critical

Published: 14 August 2024

Published
14 August 2024
Modified
14 August 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0920 92.9th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39397 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Adobe Commerce. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability, tracked as CVE-2024-39397 and assigned CWE-434. The flaw permits an attacker to upload a file of dangerous type that can subsequently execute on the server, resulting in arbitrary code execution. It carries a CVSS 3.1 score of 9.0 with network attack vector, high complexity, no privileges or user interaction required, and changed scope.

An unauthenticated attacker can exploit the issue remotely by supplying a malicious file that the server then executes, achieving full control over the affected application and potentially the underlying host. Exploitation does not require user interaction, though the high attack complexity and changed scope limit the ease of successful abuse.

Adobe has published advisory APSB24-61 at https://helpx.adobe.com/security/products/magento/apsb24-61.html detailing the affected versions and available remediation steps. The associated EPSS score reached a peak of 0.1041 and currently sits at 0.0920 after receding, indicating limited but measurable post-disclosure interest without evidence of widespread exploitation.

EU & UK References

Vulnerability details

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a…

more

malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
commerce
2.4.4, 2.4.5, 2.4.6, 2.4.7 · ≤ 2.4.3
adobe
magento
2.4.4, 2.4.5, 2.4.6, 2.4.7 · ≤ 2.4.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References