CVE-2023-34235 – @strapi/database

Package

Manager: npm
Name: @strapi/database
Vulnerable Version: >=0 <4.10.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0164 pctl0.8124

Details

Leaking sensitive user information still possible by filtering on private with prefix fields ### Summary Still able to leak private fields if using the t(number) prefix ### Details Knex query allows you to change there default prefix ```SqliteError: select distinct `t0`.* from `pages` as `t0` left join `admin_users` as `t1` on `t0`.`updated_by_id` = `t1`.`id` where (`t1`.`password` = 1)``` so if you change the prefix to the same as it was before or to an other table you want to query you query changes from password to t1.password password is protected by filtering protections but t1.password is not protected ### PoC 1 Create a contentType 2 add to its options "populateCreatorFields" 3 create 1 entity in your new content type 4 in settings enable the find route in settings for the content type you created for public 5 /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=a%24 And now the api returns noting if you were to do /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=%24 it would return your entity ### Impact You can do filtering attacks on everything related to the object again including admin passwords and reset-tokens.

Metadata

Created: 2023-07-25T17:17:37Z
Modified: 2023-07-25T17:17:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9xg4-3qfm-9w8f/GHSA-9xg4-3qfm-9w8f.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-9xg4-3qfm-9w8f
Finding: F038
Auto approve: 1