CVE-2023-32694

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-32694
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32694.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-32694
Aliases
  • GHSA-3rqj-9v87-2x3f
Published
2023-05-25T15:15:09Z
Modified
2024-05-30T04:06:27.772826Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Saleor Core is a composable, headless commerce API. Saleor's validate_hmac_signature function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

References

Affected packages

Git / github.com/saleor/saleor

Affected ranges

Type
GIT
Repo
https://github.com/saleor/saleor
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

2.*

2.0.0
2.1.0
2.10.0
2.10.0-rc.1
2.10.0-rc.2
2.2.0
2.3.0
2.4.0
2.5.0
2.6.0
2.7.0
2.8.0
2.9.0

v2016.*

v2016.07.0

v2017.*

v2017.02.0
v2017.02.1
v2017.03.0
v2017.03.1
v2017.03.2
v2017.03.3
v2017.03.4
v2017.07.0
v2017.09
v2017.10
v2017.11
v2017.12
v2017.12.1

v2018.*

v2018.01
v2018.02
v2018.03
v2018.04
v2018.05
v2018.06
v2018.08
v2018.09