1. Magento Help Center
  2. Troubleshooting
  3. Known issues (patches attached)

Articles in this section

See more

Remove failed login attempts from the database

  • Created
  • Updated

This article explains how to remove pre-existing failed login credentials from the Magento Commerce and Magento Commerce Cloud database.
For versions  2.2.10+ and 2.3.3+ you only need to run the script.
For older versions  2.3.0-2.3.2-p2 you need to apply a patch to stop logging and run the script to remove pre-existing failed login credentials.

Affected products and versions

  • This issue affects Magento Open Source and Magento Commerce (on-premise and Cloud) for 2.2.x, 2.3.x and earlier versions.
  • Magento 1.x deployments are not affected.

Issue

In 2019 a bug was reported to Magento that allowed failed login attempts to be logged in a database in Magento 2.3.x and 2.2.x. In response, Magento included a fix for this issue in Magento 2.3.3 and 2.2.10 (released October 2019). While the fix for that bug stopped the logging of failed login attempts, information collected prior to updating to these current versions may still exist. This most recent fix clears the login attempts information that was previously logged, if any.  
CVE-2019-8118 is described and tracked in Common Vulnerabilities and Exposures. 

Solution

Whether you need to use the script and the patch, or just the script, depends on your version of Magento:

Magento Commerce and Magento Open Source versions 2.3.0-2.3.2-p2

For these versions you must apply the patch and run the database clean-up script to end continued logging and eliminate logs.

  1. Run the composer patch to stop logging. This patch is attached to the article. To download it, scroll down to the end of the article and click the file name, or click the following link CLEANUP_PATCH_COMPOSER_2.3.2.patch. For instructions on how to apply the patch, see How to apply a composer patch provided by Magento.
  1. Now run the script to clean the database of the pre-existing failed login attempts. This script is attached to the article. To download it, scroll down to the end of the article and click the file name, or click the following link DB_CLEANUP_SCRIPT.php.

Please refer to the How to run the script section for instructions.

Magento Commerce and Magento Open Source versions 2.3.3 and above/2.2.10 & above

For these versions only run the below script to clear old logs (logging was ended previously for these versions through a fix released in Oct 2019). This script is attached to the article. To download it, scroll down to the end of the article and click the file name, or click the following link DB_CLEANUP_SCRIPT.php.

Please refer to the How to run the script section for instructions.

How to run the script

Please follow the below instructions to run the script:

  1. Put DB_CLEANUP_SCRIPT.php in the root directory of the Magento installation (in the same directory as app which contains app/bootstrap.php).
  2. Run this command in the terminal:
    php DB_CLEANUP_SCRIPT.php and it will begin the database clean up process.

Attached files

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles