CVE-2023-32694

Name of the Vulnerable Software and Affected Versions Saleor Core versions prior to 3.7.68 Saleor Core versions prior to 3.8.40 Saleor Core versions prior to 3.9.49 Saleor Core versions prior to 3.10.36 Saleor Core versions prior to 3.11.35 Saleor Core versions prior to 3.12.25 Saleor Core versions prior to 3.13.16

Description The validate hmac signature function in Saleor Core is susceptible to timing attacks, which malicious users could exploit in deployments with the Adyen plugin enabled. This could allow them to determine the secret key and forge fake events, potentially affecting database integrity, such as incorrectly marking orders as paid.

Recommendations For versions prior to 3.7.68, update to version 3.7.68 or later. For versions prior to 3.8.40, update to version 3.8.40 or later. For versions prior to 3.9.49, update to version 3.9.49 or later. For versions prior to 3.10.36, update to version 3.10.36 or later. For versions prior to 3.11.35, update to version 3.11.35 or later. For versions prior to 3.12.25, update to version 3.12.25 or later. For versions prior to 3.13.16, update to version 3.13.16 or later.