PYSEC-2023-1

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/adyen/PYSEC-2023-1.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2023-1

Published

2023-01-24T00:00:00Z

Modified

2023-01-24T00:00:00Z

Summary

[none]

Details

Adyen has utility methods for validating notification HMAC signatures. The isvalidhmac and isvalidhmac_notification methods are vulnerable to a timing attack, you should compare the hash of the HMACs instead.

References

https://github.com/Adyen/adyen-python-api-library/issues/168
https://github.com/Adyen/adyen-python-api-library/pull/170

Affected packages

PyPI / adyen

Package

Name: adyen; View open source insights on deps.dev
Purl: pkg:pypi/adyen

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.2.0

Fixed

7.1.0

Affected versions

2.*

2.2.0

2.3.0

3.*

3.0.0

3.1.0

4.*

4.0.0

5.*

5.0.0

5.1.0

6.*

6.0.0

7.*

7.0.0

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/adyen/PYSEC-2023-1.yaml"