CVE-2020-9588 – magento/core

Package

Manager: composer
Name: magento/core
Vulnerable Version: >=0 <1.9.4.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01185 pctl0.77994

Details

Magento Signature verification bypass Magento versions 2.3.4 and earlier, 2.2.11 and earlier (see note), 1.14.4.4 and earlier, and 1.9.4.4 and earlier have an observable timing discrepancy vulnerability. Successful exploitation could lead to signature verification bypass.

Metadata

Created: 2022-05-24T17:21:49Z
Modified: 2025-02-10T20:30:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2r4-2cr6-h3r3/GHSA-j2r4-2cr6-h3r3.json
CWE IDs: ["CWE-203"]
Alternative ID: GHSA-j2r4-2cr6-h3r3
Finding: F026
Auto approve: 1