Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMnI0LTJjcjYtaDNyM84AAlKd
Magento Signature verification bypass
Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.
Permalink: https://github.com/advisories/GHSA-j2r4-2cr6-h3r3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMnI0LTJjcjYtaDNyM84AAlKd
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 10 months ago
CVSS Score: 7.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-j2r4-2cr6-h3r3, CVE-2020-9588
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-9588
- https://helpx.adobe.com/security/products/magento/apsb20-22.html
- https://github.com/advisories/GHSA-j2r4-2cr6-h3r3
Affected Packages
packagist:magento/core
Affected Version Ranges: < 1.9.4.5Fixed in: 1.9.4.5
packagist:magento/community-edition
Dependent packages: 13Dependent repositories: 12
Downloads: 48,379 total
Affected Version Ranges: < 2.3.4-p2
Fixed in: 2.3.4-p2
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.3.0, 2.3.1, 2.3.2, 2.3.3
All unaffected versions: 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7