CVE-2020-24402 : Vulnerability Insights and Analysis

Magento version 2.4.0 and 2.3.5p1 (and earlier) are affected by an incorrect permissions vulnerability in the Integrations component, allowing authenticated users to delete customer details via the REST API without proper authorization.

Understanding CVE-2020-24402

This CVE involves an incorrect permissions vulnerability in Magento Commerce that could lead to unauthorized deletion of customer details through the REST API.

What is CVE-2020-24402?

CVE-2020-24402 is a vulnerability in Magento Commerce versions 2.4.0 and 2.3.5p1 (and earlier) that enables authenticated users to delete customer information via the REST API without the necessary authorization.

The Impact of CVE-2020-24402

The vulnerability poses a medium severity risk with a CVSS base score of 4.9. It allows users with high privileges to delete customer details, potentially compromising data integrity.

Technical Details of CVE-2020-24402

This section provides more in-depth technical insights into the CVE.

Vulnerability Description

The vulnerability arises from incorrect permissions in the Integrations component of Magento Commerce, enabling unauthorized deletion of customer details via the REST API.

Affected Systems and Versions

Product: Magento Commerce
Vendor: Adobe
Affected Versions: 2.4.0, 2.3.5p1, and earlier

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Privileges Required: High
Integrity Impact: High

Mitigation and Prevention

Protect your systems from CVE-2020-24402 with these mitigation strategies.

Immediate Steps to Take

Update Magento Commerce to a patched version.
Restrict access to the Resource Access API.
Monitor and audit REST API activities.

Long-Term Security Practices

Regularly review and adjust user permissions.
Conduct security training for users with high privileges.

Patching and Updates

Apply security patches provided by Adobe for Magento Commerce.