Strapi < 4.8.0 Private Fields Sensitive Information Disclosure

medium Web App Scanning Plugin ID 114108

Synopsis

Strapi < 4.8.0 Private Fields Sensitive Information Disclosure

Description

Strapi is a popular open-source headless Content Management System (CMS) written in Node.js. Strapi versions before 4.8.0 suffer from an information disclosure vulnerability through collections private fields. By manipulating public collections query filters, a remote and unauthenticated attacker can infer sensitive information like encrypted password or password reset tokens by analyzing response discrepancies. Upon successful exploitation, the attacker can gain administrative access to the Strapi administration panel.

Solution

Upgrade Strapi to version 4.8.0 or later.

See Also

https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8

https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

https://www.ghostccamm.com/blog/multi_strapi_vulns

Plugin Details

Severity: Medium

ID: 114108

Type: remote

Published: 11/15/2023

Updated: 5/27/2024

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:N/A:N

CVSS Score Source: CVE-2023-22894

CVSS v3

Risk Factor: Medium

Base Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: CVE-2023-22894

Vulnerability Information

CPE: cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/18/2023

Reference Information

CVE: CVE-2023-22894

CWE: 200, 266, 284, 312

OWASP: 2010-A6, 2010-A8, 2013-A2, 2013-A5, 2013-A7, 2013-A9, 2017-A5, 2017-A6, 2017-A9, 2021-A1, 2021-A4, 2021-A6

WASC: Application Misconfiguration, Authentication Bypass, Information Leakage, Insufficient Authorization

CAPEC: 116, 122, 13, 169, 19, 22, 224, 233, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 441, 472, 478, 479, 497, 502, 503, 508, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 573, 574, 575, 576, 577, 578, 58, 59, 60, 616, 643, 646, 651, 79

DISA STIG: APSC-DV-000460, APSC-DV-000500, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SI-15

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1, 4.0.2-8.3.4

PCI-DSS: 3.2-6.2, 3.2-6.5.8