5.4

CVE-2023-32694

Non-constant time HMAC comparison in Adyen plugin in Saleor

Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SaleorSaleor Version >= 2.11.0 < 3.7.68
SaleorSaleor Version >= 3.8.0 < 3.8.40
SaleorSaleor Version >= 3.9.0 < 3.9.49
SaleorSaleor Version >= 3.10.0 < 3.10.36
SaleorSaleor Version >= 3.11.0 < 3.11.35
SaleorSaleor Version >= 3.12.0 < 3.12.25
SaleorSaleor Version >= 3.13.0 < 3.13.16
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.34% 0.257
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com 4.8 2.2 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e
Patch
https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f
Vendor Advisory