CVE-2020-9585
Description
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have a defense-in-depth security mitigation vulnerability. Successful exploitation could lead to arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Magento versions 2.3.4 and earlier, 2.2.11 and earlier, 1.14.4.4 and earlier, and 1.9.4.4 and earlier contain a defense-in-depth security mitigation vulnerability that could lead to arbitrary code execution.
Vulnerability
Description
CVE-2020-9585 is a defense-in-depth security mitigation vulnerability affecting multiple Magento versions, including Adobe Commerce and Magento Open Source [1]. The exact root cause is not publicly detailed, but the vulnerability arises from a weakness in the security mitigations intended to protect against other attack vectors.
Attack
Vector
The official description does not specify the attack vector or prerequisites for exploitation. However, as a defense-in-depth bypass, it likely requires an attacker to have already achieved some level of access, such as administrative credentials or the ability to execute other exploits. The vulnerability is classified with high severity, indicating that exploitation could be accomplished with low complexity and without user interaction.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system, potentially leading to complete compromise of the Magento instance and associated data [1].
Mitigation
Given the version ranges (e.g., 2.3.4 and earlier), versions later than these boundaries are likely patched. Users should upgrade to the latest available releases of Adobe Commerce or Magento Open Source to mitigate the risk.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
magento/community-editionPackagist | <= 2.2.11 | — |
magento/community-editionPackagist | >= 2.3.0, < 2.3.4-p2 | 2.3.4-p2 |
magento/corePackagist | < 1.9.4.5 | 1.9.4.5 |
magento/project-community-editionPackagist | <= 2.0.2 | — |
Affected products
5- osv-coords4 versionspkg:bitnami/magentopkg:composer/magento/community-editionpkg:composer/magento/corepkg:composer/magento/project-community-edition
>= 2.2.0, < 2.2.12+ 3 more
- (no CPE)range: >= 2.2.0, < 2.2.12
- (no CPE)range: <= 2.2.11
- (no CPE)range: < 1.9.4.5
- (no CPE)range: <= 2.0.2
- Range: 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier versions
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-55gv-hfg3-hwjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-9585ghsaADVISORY
- helpx.adobe.com/security/products/magento/apsb20-22.htmlghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.