Lucene search

[email protected]NVD:CVE-2023-32694

HistoryMay 25, 2023 - 3:15 p.m.

CVE-2023-32694

2023-05-2515:15:09

CWE-203

CWE-208

[email protected]

web.nvd.nist.gov

saleor core

timing attacks

adyen plugin

database integrity

patch

versions

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

29.6%

JSON

Saleor Core is a composable, headless commerce API. Saleor’s validate_hmac_signature function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

Affected configurations

Nvd

Node

saleorsaleorRange2.11.0–3.7.68

saleorsaleorRange3.8.0–3.8.40

saleorsaleorRange3.9.0–3.9.49

saleorsaleorRange3.10.0–3.10.36

saleorsaleorRange3.11.0–3.11.35

saleorsaleorRange3.12.0–3.12.25

saleorsaleorRange3.13.0–3.13.16

VendorProductVersionCPE
saleorsaleor*cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
saleor	saleor	*	cpe:2.3:a:saleor:saleor::::::::

References

github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e

github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

29.6%

JSON

Related for NVD:CVE-2023-32694

prion1 cvelist1 osv1 veracode1 cve1