Latest versions – Magento Commerce and Open Source – 2.3.5-p1 and 2.3.4-p2

On the 28th of April, Magento released the latest versions of Magento Commerce and Open Source, available to our entire Magento Community. So the pre-release period for these update ends. Magento website owners and merchants should start the process of accessing these updates, they can now be found on GitHub and at Magento.com (in addition to Composer). The Magento improved the experience and security aspects through these new versions.
An error was discovered during Magento’s pre-release period and they have released a correction via a new version. If you access the code via Magento.com, you will only have access to the correct versions (2.3.5-p1 and 2.3.4-p2) but if you access the code via Composer you will need to manually request these specific versions. If you downloaded the code during the pre-release period and encountered error messages, kindly download these new versions; if no error messages were present, you can disregard these new versions.
Additionally, Magento has released a separate security hotfix for 2.3.5-p1 and will need to be downloaded and applied.
You can learn more about release information here.
Magento has released updates for Magento Commerce and Open Source editions. These updates resolve vulnerabilities rated Critical, Important, and Moderate. Successful exploitation could lead to arbitrary code execution.

Affected Versions:

ProductVersionPlatform
Magento Commerce2.3.4 and earlier versionsAll
Magento Open Source2.3.4 and earlier versionsAll
Magento Commerce2.2.11 and earlier versions (see note)All
Magento Open Source2.2.11 and earlier versions (see note)All
Magento Enterprise Edition1.14.4.4 and earlier versionsAll
Magento Community Edition1.9.4.4 and earlier versionsAll

Solution:

ProductVersionPlatformPriority RatingAvailability
Magento Commerce2.3.4-p2All22.3.4-p2 Commerce
Magento Open Source2.3.4-p2All22.3.4-p2 Open Source
Magento Commerce2.3.5-p1All22.3.5 Commerce
Magento Open Source2.3.5-p1All22.3.5 Open Source
Magento Enterprise Edition1.14.4.5All21.14.4.5
Magento Community Edition1.9.4.5All21.9.4.5
Adobe categorizes these updates with the ‘2’ priority ratings and recommends users update their installation to the newest version.

Definition for Priority ‘2’ – This update resolves vulnerabilities in a product that has historically been at elevated risk. There are currently no known exploits. Based on previous experience, we do not anticipate exploits are imminent. As a best practice, Adobe recommends administrators install the update soon (for example, within 30 days).

These updates address the following vulnerability impacts:

  • Arbitrary code execution
  • Sensitive information disclosure
  • Unauthorized access to admin panel
  • Potentially unauthorized product discounts
  • Signature verification bypass
If you