CVE-2023-32694— Saleor 安全漏洞

Non-constant time HMAC comparison in Adyen plugin in Saleor

Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

通过差异性导致的信息暴露

Saleor 安全漏洞

Github saleor是一个无头的 GraphQL 商务平台，提供超快速、动态、个性化的购物体验。美丽的在线商店，在任何地方，在任何设备上。 Saleor Core存在安全漏洞，该漏洞源于容易受到定时攻击，攻击者利用该漏洞可以确定密钥并伪造虚假事件，这可能会影响数据库完整性。

N/A

N/A