CVE-2023-26051: 
Python vulnerability analysis and mitigation

Saleor, a headless GraphQL commerce platform, was found to have a vulnerability where internal Python exceptions were not properly handled and were returned in API error messages (CVE-2023-26051). The vulnerability was discovered and disclosed on February 3, 2023, affecting all versions of Saleor from 2.0.0 onwards. This security issue primarily impacts staff-authenticated requests where sensitive information like user email addresses could be exposed through error messages (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.5 (Moderate severity) with the following metrics: Network attack vector, Low attack complexity, Low privileges required, No user interaction needed, Unchanged scope, High confidentiality impact, and No impact on integrity or availability (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The issue is categorized as CWE-209, relating to information exposure through error messages (GitHub Advisory).

The vulnerability could lead to the disclosure of sensitive information through error messages in staff-authenticated requests. Specifically, internal Python exceptions could reveal sensitive data such as user email addresses and other potentially confidential information (GitHub Advisory).

The vulnerability has been patched in multiple versions including 3.11.12, 3.10.14, 3.9.27, 3.8.30, 3.7.59, and 3.1.48. The fix involves proper handling of internal Python exceptions and implementing controls to prevent sensitive information disclosure through error messages. No workarounds were provided for unpatched systems (GitHub Advisory).