Miggo Logo
Miggo Vulnerability Database
CVE-2020-9588

CVE-2020-9588: Magento Signature verification bypass

7.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-9588
GHSA ID
GHSA-j2r4-2cr6-h3r3
EPSS Score
0.78046%
CWE
CWE-203
Published
5/24/2022
Updated
2/10/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
magento/community-editioncomposer< 2.3.4-p22.3.4-p2
magento/corecomposer< 1.9.4.51.9.4.5
magento/project-community-editioncomposer<= 2.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from an observable timing discrepancy during signature verification. In PHP applications, this typically occurs when comparing cryptographic signatures using non-constant time string comparison methods. Magento's Security::compareStrings function is a prime candidate as it's responsible for secure string comparisons. The vulnerability description matches the pattern where such a function would use simple string equality checks (via '==' or early-exit comparisons) rather than constant-time algorithms like hash_equals(). While no direct patch code is available, this function's role in security-critical comparisons and the nature of the CWE-203 vulnerability strongly indicate it as the source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M***nto v*rsions *.*.* *n* **rli*r, *.*.** *n* **rli*r (s** not*), *.**.*.* *n* **rli*r, *n* *.*.*.* *n* **rli*r **v* *n o*s*rv**l* timin* *is*r*p*n*y vuln*r**ility. Su***ss*ul *xploit*tion *oul* l*** to si*n*tur* v*ri*i**tion *yp*ss.

Reasoning

T** vuln*r**ility st*ms *rom *n o*s*rv**l* timin* *is*r*p*n*y *urin* si*n*tur* v*ri*i**tion. In P*P *ppli**tions, t*is typi**lly o**urs w**n *omp*rin* *rypto*r*p*i* si*n*tur*s usin* non-*onst*nt tim* strin* *omp*rison m*t*o*s. M***nto's S**urity::*om