CVE-2023-26052 – saleor

Package

Manager: pip
Name: saleor
Vulnerable Version: >=2.0.0 <3.1.48 || >=3.11.0 <3.11.12 || >=3.10.0 <3.10.14 || >=3.9.0 <3.9.27 || >=3.8.0 <3.8.30 || >=3.7.0 <3.7.59

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00599 pctl0.68489

Details

Saleor Unauthenticated Information Disclosure Vulnerability via Python Exceptions ### Impact Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. Affected versions: Saleor ≥ 2.0.0 ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Open a discussion at https://github.com/saleor/saleor/discussions * Email us at [hello@saleor.io](mailto:hello@saleor.io)

Metadata

Created: 2023-03-02T23:04:10Z
Modified: 2023-03-13T19:18:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3hvj-3cg9-v242/GHSA-3hvj-3cg9-v242.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-3hvj-3cg9-v242
Finding: F037
Auto approve: 1