PHPackages wubinworks/module-cosmic-sting-patch - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. wubinworks/module-cosmic-sting-patch ActiveMagento2-module[Security](/categories/security) wubinworks/module-cosmic-sting-patch ==================================== An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you cannot upgrade Magento or cannot apply the official patch, try this one. 1.2.0(1y ago)1277OSL-3.0PHPPHP >=7.1 Since Aug 8Pushed 1y ago1 watchersCompare [ Source](https://github.com/wubinworks/magento2-cosmic-sting-patch)[ Packagist](https://packagist.org/packages/wubinworks/module-cosmic-sting-patch)[ Docs](https://www.wubinworks.com)[ RSS](/packages/wubinworks-module-cosmic-sting-patch/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (3)Dependencies (1)Versions (6)Used By (0) Magento 2 Patch for CVE-2024-34102(aka Cosmic Sting) ==================================================== [](#magento-2-patch-for-cve-2024-34102aka-cosmic-sting) **An alternative solution(as a Magento 2 extension) to fix the XXE vulnerability CVE-2024-34102(aka Cosmic Sting). If you cannot upgrade Magento or cannot apply the official patch, try this one.** ***If you don't fix this vulnerability, the attacker can RCE. We've already observed real world attacks.*** [![Magento 2 CVE-2024-34102(aka Cosmic Sting) Patch](https://raw.githubusercontent.com/wubinworks/home/master/images/Wubinworks/CosmicStingPatch/cosmic-sting-patch-v1.1.jpg "Magento 2 CVE-2024-34102(aka Cosmic Sting) Patch")](https://www.wubinworks.com/cosmic-sting-patch.html) CVE-2024-34102 Affected Magento Versions(starting from 2.3) ----------------------------------------------------------- [](#cve-2024-34102-affected-magento-versionsstarting-from-23) 2.3.0 ~ 2.4.4-p8 2.4.5 ~ 2.4.5-p7 2.4.6 ~ 2.4.6-p5 2.4.7 Background ---------- [](#background) [CVE-2024-34102](https://cve.org/CVERecord?id=CVE-2024-34102)(aka Cosmic Sting) was identified as [XXE](https://en.wikipedia.org/wiki/XML_external_entity_attack) vulnerability and the details were published on June 2024. By exploiting this vulnerability, the attacker can read secret and important configuration files on the server. Typically, the attacker will extract encryption keys in `env.php`. In most hacked servers, we observed one or multiple of the followings: - Admin level WebAPI access with fake token - Fake orders - Unknown Admin accounts created - Backdoors - Magento core files modified - PHP script that steals sales data - Inject malicious Javascript to CMS pages to steal credit cards - And maybe more If you want to know *"How Exactly It Works"*, we have very detailed blog posts that [examine](https://www.wubinworks.com/blog/post/cve-2024-34102-cosmic-sting-attack) and [fix](https://www.wubinworks.com/blog/post/cve-2024-34102-aka-cosmicsting-how-to-defend) the vulnerability. Secondary Disasters(Very Important) ----------------------------------- [](#secondary-disastersvery-important) ### Fake Admin Token [](#fake-admin-token) The attacker can craft fake Admin Token by using the stolen encryption key. With the fake Admin Token, the attacker is able to perform Admin level actions such as creating fake orders, modifying CMS Block to inject malicious Javascript and more. ### Chained with CVE-2024-2961 [](#chained-with-cve-2024-2961) > XXEs are now RCEs. As CVE-2024-34102 enables the ability to read arbitrary file on the server, the attacker can now combine it with a bug([CVE-2024-2961](https://www.cve.org/CVERecord?id=CVE-2024-2961)) discovered in `glibc` to run any command on the server. One real case we experienced was that multiple backdoors got downloaded and installed. The `glibc` bug exists in `glibc` version <= 2.3.9 ##### Check `glibc` version by running [](#check-glibc-version-by-running) ``` ldd --version | grep -i 'libc' ``` How to fix? ----------- [](#how-to-fix) ### Fix the Main Vulnerability CVE-2024-34102 [](#fix-the-main-vulnerability-cve-2024-34102) There are 3 Ways Available: - Upgrade Magento to an unaffected version(preferably the latest version) - Apply [official isolated patch](https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102#isolated-patch-details) - Install this extension ***Note you still need to fix "Secondary Disasters" after completing the above step.*** ### Rotate Encryption Key [](#rotate-encryption-key) This step invalidates crafted fake tokens to completely deny WebAPI access from attacker. *If you are unsure whether encryption keys are leaked or not, do this step.* ##### Additional Info [](#additional-info) Some Magento 2.4 versions have a bug that you need to apply a [patch](https://github.com/wubinworks/magento2-jwt-auth-patch) before performing key rotation. [How to rotate encryption key?](https://www.wubinworks.com/blog/post/magento2-rotate-encryption-key) [Alternative Encryption Key Rotation Tool](https://github.com/wubinworks/magento2-encryption-key-manager-cli) [New Magento encryption key format](https://www.wubinworks.com/blog/post/new-encryption-key-format-introduced-on-magento-2.4.7) ### Fix `glibc` Bug(Strongly Recommended) [](#fix-glibc-bugstrongly-recommended) Update `glibc` to >= 2.40 to fix CVE-2024-2961. *Don't forget to reboot server.* Feature ------- [](#feature) This extension - Fixes CVE-2024-34102(Can PASS the [Official Security Scan Tool](https://account.magento.com/scanner/dashboard/)) - Version 1.2.0 new feature: *Who Attacked My Site* For those who are interested in the attacker, check [Logging](#logging) section. Logging ------- [](#logging) ##### Enable Logging [](#enable-logging) By default, logging is disabled for performance consideration. To enable, open a local module and merge the following to `etc/di.xml`. ``` true ``` ##### Log Location [](#log-location) ``` /var/log/wubinworks_cve-2024-34102.log ``` ##### Incorrect IP Address? [](#incorrect-ip-address) If you got incorrect IP such as `127.0.0.1`, empty string or a CDN's IP, this means your ***web server, middleware, and/or proxy server have incorrect settings***. There is no way to tell the real IP address without fixing those incorrect settings. Requirements ------------ [](#requirements) Magento 2.3 or 2.4 ##### PHP Version Compatibility [](#php-version-compatibility) Version 1.0.0 and 1.1.0 support PHP 8 only Version 1.2.0(re-designed) supports PHP 7 and PHP 8 Installation ------------ [](#installation) Latest: **`composer require wubinworks/module-cosmic-sting-patch`** Installation Tips: - *Version 1.0.0 and 1.1.0 must be installed via `composer`* - *Version 1.2.0 can be installed via `composer` or directly to `app/code`* ♥ - [](#) If you like this extension or this extension helped you, please ★star☆ this repository. You may also like: [Magento 2 Patch for CVE-2022-24086, CVE-2022-24087](https://github.com/wubinworks/magento2-template-filter-patch) [Magento 2 Enhanced XML Security](https://github.com/wubinworks/magento2-enhanced-xml-security) [Magento 2 Encryption Key Manager CLI](https://github.com/wubinworks/magento2-encryption-key-manager-cli) [Magento 2 JWT Authentication Patch](https://github.com/wubinworks/magento2-jwt-auth-patch) [Magento 2 Disable Customer Change Email Extension](https://github.com/wubinworks/disable-change-email) [Magento 2 Disable Customer Extension](https://github.com/wubinworks/magento2-disable-customer) ### Health Score 29 — LowBetter than 60% of packages Maintenance45 Moderate activity, may be stable Popularity17 Limited adoption so far Community7 Small or concentrated contributor base Maturity38 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~60 days Total 4 Last Release 457d ago PHP version history (2 changes)1.0.0PHP >=7.4 v1.1.0.x-devPHP >=7.1 ### Community Maintainers ![](https://www.gravatar.com/avatar/7de965a6287fb784969afeb4b173521d3cb59c6b873b7248263abb9fc098eddd?d=identicon)[wubinworks](/maintainers/wubinworks) --- Top Contributors [![wubinworks](https://avatars.githubusercontent.com/u/127310257?v=4)](https://github.com/wubinworks "wubinworks (5 commits)") --- Tags bugcosmic-stingcosmicstingcve-2024-34102extensionhotfixmagento2patchsecurity-holexmlxml-entityxml-securityxxexmlsecuritymagento2magento 2xml-entitycve-2024-34102cosmic stingxxexml securitycosmicsting ### Embed Badge ![Health badge](/badges/wubinworks-module-cosmic-sting-patch/health.svg) ``` [![Health](https://phpackages.com/badges/wubinworks-module-cosmic-sting-patch/health.svg)](https://phpackages.com/packages/wubinworks-module-cosmic-sting-patch) ``` ### Alternatives [ass/xmlsecurity The XmlSecurity library is written in PHP for working with XML Encryption and Signatures 955.6M30](/packages/ass-xmlsecurity)[laminas/laminas-xml Utility library for XML usage, best practices, and security in PHP 143.2M19](/packages/laminas-laminas-xml)[fr3d/xmldsig Tool for easy management of XML Signatures (http://www.w3.org/TR/xmldsig-core/) 63150.6k1](/packages/fr3d-xmldsig) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)