CVE-2023-32694

{"id": "CVE-2023-32694", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}]}, "published": "2023-05-25T15:15:09.027", "references": [{"url": "https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-203"}, {"lang": "en", "value": "CWE-208"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16."}], "lastModified": "2024-11-21T08:03:52.053", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13E1A87B-FAF4-41F6-8F64-72EB8F535642", "versionEndExcluding": "3.7.68", "versionStartIncluding": "2.11.0"}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2363CBE1-4D08-4712-930A-7FC0029AFECF", "versionEndExcluding": "3.8.40", "versionStartIncluding": "3.8.0"}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0C39E26-C3BB-4B44-BD18-E011C0AFBCC8", "versionEndExcluding": "3.9.49", "versionStartIncluding": "3.9.0"}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CBF54931-397D-4626-B4CC-CD8C2A916D12", "versionEndExcluding": "3.10.36", "versionStartIncluding": "3.10.0"}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3380DEFD-93E8-4CC1-B8EC-EBBA19AF2F16", "versionEndExcluding": "3.11.35", "versionStartIncluding": "3.11.0"}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC5A2AF4-F9F2-4D98-8118-E04956E49110", "versionEndExcluding": "3.12.25", "versionStartIncluding": "3.12.0"}, {"criteria": "cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "258863A8-21DF-4C03-9B10-9C38790E127B", "versionEndExcluding": "3.13.16", "versionStartIncluding": "3.13.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}