logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-22894 @strapi/strapi

Package

Manager: npm
Name: @strapi/strapi
Vulnerable Version: >=3.2.1 <4.8.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.15192 pctl0.94353

Details

Strapi leaking sensitive user information by filtering on private fields ### Summary Strapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. ### Details Strapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. The unauthenticated attacker can filter users by columns that contain sensitive information and infer the values by the changes in the API responses. An unauthenticated attacker can exploit this vulnerability to hijack Strapi administrator accounts and gain unauthorized Strapi Super Administrator access by leaking the password reset token and changing the admin password. This can be exploited on all Strapi versions <=4.7.1. ### IoC The exploitation of CVE-2023-22894 is easily detectable, since the payload is within the GET parameters and are normally included in request logs. The following regex pattern will extract requests that are exploiting this vulnerability to leak user's email, password and password reset token columns. `/(\[|%5B)\s*(email|password|reset_password_token|resetPasswordToken)\s*(\]|%5D)/` You can search log files for this IoC by using the following grep command. `grep -iE '(\[|%5B)\s*(email|password|reset_password_token|resetPasswordToken)\s*(\]|%5D)' $PATH_TO_LOG_FILE` If the above regex pattern matches any lines in your log files, take extra precaution to look out for multiple requests that include password, reset_password_token or resetPasswordToken. This would indicate that an attacker has leaked the password hashes and reset tokens on your Strapi server and you need to immediately start an incident response! ### Impact All Strapi users below 4.8.0

Metadata

Created: 2023-04-19T21:41:26Z
Modified: 2023-04-19T21:41:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-jjqf-j4w7-92w8/GHSA-jjqf-j4w7-92w8.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-jjqf-j4w7-92w8
Finding: F020
Auto approve: 1