Adobe Commerce 2.3.7-p3 is a security release that provides security fixes that enhance your Adobe Commerce 2.3.7 or Magento Open Source 2.3.7 deployment. It provides fixes for vulnerabilities that have been identified in the previous release (Adobe Commerce 2.3.7-p2).
PHP 7.3 reached end of support in December 2021, and Adobe Commerce 2.3.x and Magento Open Source 2.3.x will reach end of support in September 2022. We strongly recommend planning your upgrade now to Adobe Commerce 2.4.x or Magento Open Source 2.4.x deployment to help maintain PCI compliance.
Releases may contain backward-incompatible changes (BIC). To review minor backward-incompatible changes, see BIC reference. (Major backward-incompatible issues are described in BIC highlights. Not all releases introduce major BICs.)
AC-3022.patch to continue offering DHL as a shipping carrier
DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply
AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as shipping carrier Knowledge Base article for information about downloading and installing the patch.
What’s in this release?
This security patch includes:
- Resolution of the vulnerability addressed by
- The security enhancements described in these release notes
- Two security bug fixes. See Adobe Security Bulletin for the latest discussion of these fixed issues.
Security improvements for this release improve compliance with the latest security best practices, including:
Email variable usage was deprecated back in 2.3.4 as part of a security risk mitigation in favor of a more strict variable syntax. This legacy behavior has been fully removed in this release as a continuation of that security risk mitigation.
As a result, email or newsletter templates that worked in previous versions of Magento may not work correctly after upgrading to Adobe Commerce 2.3.7-p3. Affected templates include admin overrides, themes, child themes, and templates from custom modules or third-party extensions. Your deployment may still be affected even after using the Upgrade compatibility tool to fix deprecated usages. See Migrating custom email templates for information about potential effects and guidelines for migrating affected templates.
OAuth access tokens and password reset tokens are now encrypted when stored in the database.
Password reset tokens are no longer stored in plain text in the database.
Validation has been strengthened to prevent the upload of non alpha-numeric file extensions.
Swagger is now disabled by default when Adobe Commerce is in production mode.
Developers can now configure the limit on the size of arrays accepted by Adobe Commerce RESTful endpoints on a per-endpoint basis. See API security.
Added mechanisms for limiting the size and number of resources that a user can request through a web API on a system-wide basis, and for overriding the defaults on individual modules. This resolves the issue addressed by
MC-43048__set_rate_limits__2.4.3.patch. See API security.
Installation and upgrade instructions
For instructions on downloading and applying security patches (including patch 2.3.7-p3), see Quick start install.
For general information about security patches, see Introducing the New Security Patch Release.