CVE-2023-26052 — Saleor Unauthenticated Information Disclosure Vulnerability via Python Exception

Description

### Impact Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. Affected versions: Saleor ≥ 2.0.0 ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Open a discussion at https://github.com/saleor/saleor/discussions * Email us at [hello@saleor.io](mailto:hello@saleor.io)

How to fix CVE-2023-26052

To remediate CVE-2023-26052, upgrade the affected package to a fixed version below.

—upgrade to 3.1.48 or later

Is CVE-2023-26052 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 3.1.48

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-26052
PATCHgithub.com/saleor/saleor
WEBgithub.com/saleor/saleor/releases/tag/3.10.14
WEBgithub.com/saleor/saleor/releases/tag/3.11.12
WEB