Unrated severityNVD Advisory· Published May 25, 2023· Updated Jan 16, 2025

Non-constant time HMAC comparison in Adyen plugin in Saleor

CVE-2023-32694

Description

Saleor Core is a composable, headless commerce API. Saleor's validate_hmac_signature function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

Affected products

Saleor/Saleorv5
Range: >= 2.11.0, < 3.7.68

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35emitrex_refsource_MISC
github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3fmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000