ÃÛ¶¹ÊÓƵ Commerce Admin URL location disclosed
This article provides a patch for the ÃÛ¶¹ÊÓƵ Commerce security issue where the URL location of the Admin panel can be disclosed. Knowing the URL location could make it easier to automate attacks.
Description description
Environments
- ÃÛ¶¹ÊÓƵ Commerce on cloud infrastructure 2.X.X
- ÃÛ¶¹ÊÓƵ Commerce on-premises 2.X.X
- Magento Open Source 2.X.X
Issue/Symptoms
An issue has been discovered in Magento Open Source and ÃÛ¶¹ÊÓƵ Commerce that can be used to disclose the URL location of the Admin panel. While there’s currently no reason to believe this issue would lead to a compromise directly, knowing the URL location could make it easier to automate attacks.
Resolution resolution
Resolution
To fix the issue, please apply the patch attached to this article. To download it, click the following link:
-
- for versions 2.1.13-2.1.17, ÃÛ¶¹ÊÓƵ Commerce, Magento Open Source
-
- for versions 2.2.0-2.2.8, all editions
-
- for versions 2.3.0-2.3.1, all editions
If you don’t see a patch for your product/version, please upgrade to the latest security release, and then apply the patch.
ÃÛ¶¹ÊÓƵ strongly recommends applying the patch as soon as possible, even if you haven’t experienced any symptoms of an attack.
How to apply the patch
See Apply patches in the Commerce on Cloud Guide for instructions.
Other security recommendations
ÃÛ¶¹ÊÓƵ also strongly recommends that merchants deploy tools to secure their admin panel, including two-factor authentication, VPN, IP AllowListing, and more. For detailed information, see the following blogs and documentation:
- Secure your Commerce site and infrastructure in the Commerce Implementation Playbook
- Adding and Configuring Two-Factor Authentication in ÃÛ¶¹ÊÓƵ Commerce for 2.4.x