According to researchers with the Synopsys Cybersecurity Research Center (CyRC), the failings enable a person with low privileges to entry delicate data that can be utilized to carry out a password reset for the next privileged account, such because the administrator. This means attackers want to realize entry to a low-privileged account first and this may be achieved by way of compromised credentials, phishing or different strategies.
Strapi is open-source and gives a straightforward means for corporations to design APIs for quite a lot of use instances. While its market share is small in comparison with common function content material administration techniques reminiscent of WordPress or Joomla, the mission is common with enterprises and lists some large organizations as customers together with Societe Generale, IBM, NASA, Generali, Walmart and Toyota.
Two comparable data publicity flaws within the admin panel and API
The Synopsys researchers discovered the primary vulnerability, tracked as CVE-2022-30617 in November. The flaw permits an authenticated person who has entry to the Strapi admin panel to entry e-mail and password reset tokens for administrative customers with whom they’ve a content material relationship.
“For example, a low-privileged ‘Author’ role account can view these details in the JSON response for an ‘Editor’ or ‘Super Admin’ that has updated one of the author’s blog posts,” the researchers defined in their advisory. “There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship.”
With the leaked data an attacker can provoke the password reset workflow for the upper privileged person. Strapi helps role-based entry management (RBAC) and single sign-on (SSO) integration with identity suppliers and Microsoft Active Directory.
The CVE-2022-30617 flaw is rated 8.8 (High) within the Common Vulnerabilities Scoring System (CVSS) and was patched within the Strapi v4.0.0 again in November. However, the patch was backported to Strapi v3.6.10, which was launched this month.
After reviewing the preliminary repair for CVE-2022-30617, the Synopsys researchers discovered an identical vulnerability within the API permissions system that impacts API customers managed by the plugin users-permissions. This new vulnerability is tracked as CVE-2022-30618 and is rated 7.5 (High).
The flaw permits authenticated customers with entry to the Strapi admin panel to entry e-mail and password reset tokens for API customers if the content material they’ve entry to additionally has a relationship to different API customers. Exploitation requires the password reset API endpoint to be enabled.
“In a worst-case scenario, a low-privileged user gets access to a high-privileged API account and can thereby read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users,” the researchers stated.
The CVE-2022-30618 flaw was reported to the Strapi maintainers in December and was mounted in variations 3.6.10 and 4.0.10, which have been launched on May 11.
Copyright © 2022 IDG Communications, Inc.