CVE-2023-32694

CVSS V2 None CVSS V3 None

Description

Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

Overview

CVE ID
CVE-2023-32694

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-05-25T14:29:10.217Z

Last Modified Date
2023-05-25T14:29:10.217Z

Weakness Enumerations

CWE	URL
CWE-203	http://cwe.mitre.org/data/definitions/203.html
CWE-208	http://cwe.mitre.org/data/definitions/208.html

References

Reference URL	Reference Tags
https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f	x_refsource_CONFIRM
https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-32694
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32694

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 11:57:51				Added to TrackCVE