GHSA-f3q4-ggfp-jv34: Adyen APIs Library for Python timing attack vulnerability
Adyen has utility methods for validating notification HMAC signatures. The is_valid_hmac
and is_valid_hmac_notification
methods are vulnerable to a timing attack, you should compare the hash of the HMACs instead.
References
- github.com/Adyen/adyen-python-api-library
- github.com/Adyen/adyen-python-api-library/commit/3292133dbc00ffc4cccfb92de672a76eaa587ca5
- github.com/Adyen/adyen-python-api-library/issues/168
- github.com/Adyen/adyen-python-api-library/pull/170
- github.com/advisories/GHSA-f3q4-ggfp-jv34
- github.com/pypa/advisory-database/tree/main/vulns/adyen/PYSEC-2023-1.yaml
Detect and mitigate GHSA-f3q4-ggfp-jv34 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →