CVE-2023-32694

MEDIUM

Saleor Core <3.7.67 - Timing Attack

Title source: llm

Description

Saleor Core is a composable, headless commerce API. Saleor's `validate_hmac_signature` function is vulnerable to timing attacks. Malicious users could abuse this vulnerability on Saleor deployments having the Adyen plugin enabled in order to determine the secret key and forge fake events, this could affect the database integrity such as marking an order as paid when it is not. This issue has been patched in versions 3.7.68, 3.8.40, 3.9.49, 3.10.36, 3.11.35, 3.12.25, and 3.13.16.

References (2)

[Vendor Advisory] https://github.com/saleor/saleor/security/advisories/GHSA-3rqj-9v87-2x3f

[Patch] https://github.com/saleor/saleor/commit/1328274e1a3d04ab87d7daee90229ff47b3bc35e

View Patch ZIP pw:eip

Scores

CVSS v3 4.8

EPSS 0.0031

EPSS Percentile 54.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-208 CWE-203

Status published

Products (1)

saleor/saleor 2.11.0 - 3.7.68

Published May 25, 2023

Tracked Since Feb 18, 2026