Identifier

CVE-2020-5777

Package Slug

packagist/dweeves/magmi

Vulnerability

Improper Authentication

Description

MAGMI is vulnerable to a remote authentication bypass due to allowing default credentials in the event there is a database connection failure. A remote attacker can trigger this connection failure if the Mysql setting max_connections where the default is 151 and is lower than Apache (or another web server) setting for MaxRequestWorkers, formerly MaxClients, where the default is 256. This can be done by sending at least simultaneous requests to the Magento website to trigger a Too many connections error, then use default magmi:magmi basic authentication to remotely bypass authentication.

Affected Versions

All versions before 0.7.24

Solution

Upgrade to version 0.7.24 or above.

Last Modified

2020-09-09

source