CVE-2023-32694 (GCVE-0-2023-32694)
Vulnerability from cvelistv5
Published
2023-05-25 14:29
Modified
2025-01-16 19:21
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-203 - Observable Discrepancy
  • CWE-208 - Observable Timing Discrepancy
Summary
Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.
References
security-advisories@github.comhttps://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35ePatch
security-advisories@github.comhttps://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3fVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35ePatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3fVendor Advisory
Impacted products
Vendor Product Version
saleor saleor Version: >= 2.11.0, < 3.7.68
Version: >= 3.8.0, < 3.8.40
Version: >= 3.9.0, < 3.9.49
Version: >= 3.10.0, < 3.10.36
Version: >= 3.11.0, < 3.11.35
Version: >= 3.12.0, < 3.12.25
Version: >= 3.13.0, < 3.13.16
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:25:36.493Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f"
          },
          {
            "name": "https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32694",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-16T19:21:44.207892Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-16T19:21:54.740Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "saleor",
          "vendor": "saleor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.11.0, \u003c 3.7.68"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.8.0, \u003c 3.8.40"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.9.0, \u003c 3.9.49"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.10.0, \u003c 3.10.36"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.11.0, \u003c 3.11.35"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.12.0, \u003c 3.12.25"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.13.0, \u003c 3.13.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Saleor Core is a composable, headless commerce API. Saleor\u0027s `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-203",
              "description": "CWE-203: Observable Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-208",
              "description": "CWE-208: Observable Timing Discrepancy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-05-25T14:29:10.217Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f"
        },
        {
          "name": "https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e"
        }
      ],
      "source": {
        "advisory": "GHSA-3rqj-9v87-2x3f",
        "discovery": "UNKNOWN"
      },
      "title": "Non-constant time HMAC comparison in Adyen plugin in Saleor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32694",
    "datePublished": "2023-05-25T14:29:10.217Z",
    "dateReserved": "2023-05-11T16:33:45.733Z",
    "dateUpdated": "2025-01-16T19:21:54.740Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32694\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-05-25T15:15:09.027\",\"lastModified\":\"2024-11-21T08:03:52.053\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Saleor Core is a composable, headless commerce API. Saleor\u0027s `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"},{\"lang\":\"en\",\"value\":\"CWE-208\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.11.0\",\"versionEndExcluding\":\"3.7.68\",\"matchCriteriaId\":\"13E1A87B-FAF4-41F6-8F64-72EB8F535642\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.8.0\",\"versionEndExcluding\":\"3.8.40\",\"matchCriteriaId\":\"2363CBE1-4D08-4712-930A-7FC0029AFECF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.9.0\",\"versionEndExcluding\":\"3.9.49\",\"matchCriteriaId\":\"F0C39E26-C3BB-4B44-BD18-E011C0AFBCC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.10.0\",\"versionEndExcluding\":\"3.10.36\",\"matchCriteriaId\":\"CBF54931-397D-4626-B4CC-CD8C2A916D12\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.11.0\",\"versionEndExcluding\":\"3.11.35\",\"matchCriteriaId\":\"3380DEFD-93E8-4CC1-B8EC-EBBA19AF2F16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.12.0\",\"versionEndExcluding\":\"3.12.25\",\"matchCriteriaId\":\"AC5A2AF4-F9F2-4D98-8118-E04956E49110\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:saleor:saleor:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.13.0\",\"versionEndExcluding\":\"3.13.16\",\"matchCriteriaId\":\"258863A8-21DF-4C03-9B10-9C38790E127B\"}]}]}],\"references\":[{\"url\":\"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f\", \"name\": \"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e\", \"name\": \"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:25:36.493Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32694\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-16T19:21:44.207892Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-16T19:21:50.072Z\"}}], \"cna\": {\"title\": \"Non-constant time HMAC comparison in Adyen plugin in Saleor\", \"source\": {\"advisory\": \"GHSA-3rqj-9v87-2x3f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"saleor\", \"product\": \"saleor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.11.0, \u003c 3.7.68\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.8.0, \u003c 3.8.40\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.9.0, \u003c 3.9.49\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.10.0, \u003c 3.10.36\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.11.0, \u003c 3.11.35\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.12.0, \u003c 3.12.25\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.13.0, \u003c 3.13.16\"}]}], \"references\": [{\"url\": \"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f\", \"name\": \"https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e\", \"name\": \"https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Saleor Core is a composable, headless commerce API. Saleor\u0027s `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-203\", \"description\": \"CWE-203: Observable Discrepancy\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-208\", \"description\": \"CWE-208: Observable Timing Discrepancy\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-05-25T14:29:10.217Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32694\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-16T19:21:54.740Z\", \"dateReserved\": \"2023-05-11T16:33:45.733Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-05-25T14:29:10.217Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.