Home > Vulnerability Database > CVE-2023-32694

Mend.io Vulnerability Database

CVE-2023-32694

Date: May 25, 2023

Saleor Core is a composable, headless commerce API. Saleor's "validate_hmac_signature" function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

Language: Python

Severity Score

4.8

Related Resources (4)

Url: https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-32694

Url: https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e

Url: https://www.mend.io/vulnerability-database/CVE-2023-32694

Severity Score

4.8

Weakness Type (CWE)

Observable Discrepancy

CWE-203

Observable Timing Discrepancy

CWE-208

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-32694

Date: May 25, 2023

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?