Magento 2.4.3-p1
19 October 2021
Magento version 2.4.3-p1 is now available (major release).
What's New in Magento 2.4.3-p1
Patch 2.4.3-p1 is a security-only release that provides seven security fixes that enhance your Adobe Commerce 2.4.3 or Magento Open Source 2.4.3 deployment. Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release provides. Patch 2.4.3-p1 provides fixes for vulnerabilities that have been identified in our previous quarterly release, Adobe Commerce 2.4.3 and Magento Open Source 2.4.3.
Security
- Session IDs have been removed from the database. This code change may result in breaking changes if merchants have customizations or installed extensions that use the raw session IDs stored in the database.
- Restricted admin access to Media Gallery folders. Default Media Gallery permissions now allow only directory operations (view, upload, delete, and create) that are explicitly allowed by configuration. Admin users can no longer access media assets through the Media Gallery that were uploaded outside of the catalog/category or wysiwyg directories. Administrators who want to access media assets must move them to an explicitly allowed folder or adjust their configuration settings. See Modify Media Library folder permissions.
- Lowered limits to GraphQL query complexity. The GraphQL maximum allowed query complexity has been lowered to prevent Denial-of-Service (DOS) attacks. See GraphQL security configuration.
- Recent penetration test vulnerabilities have been fixed in this release.
- The unsupported source expression unsafe-inline has been removed from the Content Security Policy frame-ancestors directive. GitHub-33101
