GHSA-f3q4-ggfp-jv34
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f3q4-ggfp-jv34
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-f3q4-ggfp-jv34/GHSA-f3q4-ggfp-jv34.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-f3q4-ggfp-jv34
- Published
- 2024-08-30T18:51:58Z
- Modified
- 2024-12-01T05:32:52.294050Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Adyen APIs Library for Python timing attack vulnerability
- Details
-
Adyen has utility methods for validating notification HMAC signatures. The
is_valid_hmacandis_valid_hmac_notificationmethods are vulnerable to a timing attack, you should compare the hash of the HMACs instead. - Database specific
{ "github_reviewed_at": "2024-08-30T18:51:58Z", "severity": "MODERATE", "cwe_ids": [ "CWE-347" ], "github_reviewed": true, "nvd_published_at": null }- References
-
- https://github.com/Adyen/adyen-python-api-library/issues/168
- https://github.com/Adyen/adyen-python-api-library/pull/170
- https://github.com/Adyen/adyen-python-api-library/commit/3292133dbc00ffc4cccfb92de672a76eaa587ca5
- https://github.com/Adyen/adyen-python-api-library
- https://github.com/pypa/advisory-database/tree/main/vulns/adyen/PYSEC-2023-1.yaml
Affected packages
PyPI / adyen
Package
- Name
- adyen
- View open source insights on deps.dev
- Purl
- pkg:pypi/adyen