CVE-2021-21426 CRITICAL

CVE-2021-21426: Fixes a bug in Zend Framework's Stream HTTP Wrapper

Vendor Openmage
Product magento-lts
Weakness CWE-502 · Unsafe deserialization
Published April 21, 2021
Last update August 3, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in versions 19.4.13 and 20.0.9 was back ported from Zend Framework 3. The vulnerability was assigned CVE-2021-3007 in Zend Framework.

Key dates

02Disclosure timeline

April 21, 2021 CVE published
August 3, 2024 Record updated