CVE-2023-32694 MEDIUM

CVE-2023-32694: Non-constant time HMAC comparison in Adyen plugin in Saleor

Vendor Saleor
Product saleor
Weakness CWE-203
Published May 25, 2023
Last update January 16, 2025

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

Key dates

02Disclosure timeline

May 25, 2023 CVE published
January 16, 2025 Record updated