CVE-2020-9690 — Observable Discrepancy in Magento

CWE-203 — Observable Discrepancy CWE-352 — Cross-Site Request Forgery5 documents4 sources

Severity

4.2MEDIUMNVD

EPSS

0.5%

top 35.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Magento Magento Community-edition Adobe Magento

Timeline

PublishedJul 29

Latest updateMay 24

Description

Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:NExploitability: 0.6 | Impact: 3.6

Affected Packages3 packages

▶NVDmagento/magento< 2.3.5+1

▶Packagistmagento/community-edition< 2.3.5-p2

▶CVEListV5adobe/magento2.3.5-p1 and earlier, and 2.3.5-p1 and earlier versions

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

Magento observable timing discrepancy vulnerability↗2022-05-24

▶

OSV

Magento observable timing discrepancy vulnerability↗2022-05-24

▶

GHSA

Observable Timing Discrepancy in OpenMage LTS↗2020-08-19

▶

CVEList

CVE-2020-9690: Magento versions 2↗2020-07-29

▶