CVE-2023-32694

low-risk
Published 2023-05-25

Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

Do I need to act?

-
0.31% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Saleor

Affected Vendors

Saleor

References (4)

Patch https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e
Vendor Advisory https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f
Patch https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e
Vendor Advisory https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f
21
/ 100
low-risk
Severity 15/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal