CVE-2024-39397
Published: 14 August 2024
Summary
CVE-2024-39397 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Adobe Commerce. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability, tracked as CVE-2024-39397 and assigned CWE-434. The flaw permits an attacker to upload a file of dangerous type that can subsequently execute on the server, resulting in arbitrary code execution. It carries a CVSS 3.1 score of 9.0 with network attack vector, high complexity, no privileges or user interaction required, and changed scope.
An unauthenticated attacker can exploit the issue remotely by supplying a malicious file that the server then executes, achieving full control over the affected application and potentially the underlying host. Exploitation does not require user interaction, though the high attack complexity and changed scope limit the ease of successful abuse.
Adobe has published advisory APSB24-61 at https://helpx.adobe.com/security/products/magento/apsb24-61.html detailing the affected versions and available remediation steps. The associated EPSS score reached a peak of 0.1041 and currently sits at 0.0920 after receding, indicating limited but measurable post-disclosure interest without evidence of widespread exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37947
Vulnerability details
Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a…
more
malicious file which can then be executed on the server. Exploitation of this issue does not require user interaction, but attack complexity is high and scope is changed.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.