To provide enhanced security for customers using older versions of the Magento platform, we are backporting a fix from the security patch we released on June 25 (Magento 2.3.2, 2.2.9 and 2.1.18 Security Update) to additional versions of Magento Commerce and Magento Open Source.
This issue was addressed in Magento 2.3.2, 2.2.9, and 2.1.18 and is described in issue description CVE-2019-7877 in Magento 2.3.2, 2.2.9 and 2.1.18 Security Update. We will now offer patches for older versions. Although we have not seen many exploits related to this vulnerability, we strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.
Affected Magento versions
The issue affects the following Magento versions (on prem and cloud):
- Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
- Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
- Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
Note: Patches have been tested on Magento versions 2.3.1, 2.3.0, 2.2.8 and 2.2.7 only. Deployments running on older versions of Magento are vulnerable and should be upgraded.
There are Git- based and Composer- based patches for both the Magento 2.3.x and 2.2.x releases.
Magento 2.2.x releases:
Magento 2.3.x releases:
How to apply the patch
Patches are available from the Magento Download page for Magento Open Source, or through your Magento account for Magento Commerce. Locate the patch by the name. We provide Git-based and Composer-based patches. See Applying patches for additional information.
For Magento Commerce Cloud, download the appropriate Magento Commerce version patch and see Apply custom patches.