- Last updated: October 10, 2023 (Strapi v4 era)
- 10 min read
Security Disclosure of Vulnerabilities: CVE-2023-36472, CVE-2023-38507, CVE-2023-37263, and CVE-2023-39345
This article details and discloses four security vulnerabilities and recommends immediate upgrading to fix them.
September 13, 2023
Disclosure Summary
Thanks to three community members, we have been notified and patched four security vulnerabilities:
- CVE-2023-36472: GHSA-v8gg-4mq2-88q4
- CVE-2023-38507: GHSA-24q2-59hm-rh9r
- CVE-2023-37263: GHSA-m284-85mf-cgrc
- CVE-2023-39345: GHSA-gc7p-j5xm-xxh2
Per our security policy, we are performing our due diligence by publicly disclosing these vulnerabilities after careful testing, validation, communication, and our mandatory waiting period. For further details of the patched vulnerabilities, please refer to the information below or consult the linked GitHub Advisories.
We would like to thank the following community members for their participation in our security program:
- Boegie19 for reporting CVE-2023-36472 & CVE-2023-37263
- scgajge12 for reporting CVE-2023-38507 - Twitter website
- dogusdeniz for reporting CVE-2023-39345
Immediate resolution steps for all vulnerabilities disclosed here
To immediately resolve all vulnerabilities detailed in this post, please update all of your Strapi packages to version v4.13.5. To upgrade your Strapi application either for self-hosted (community & enterprise) and Strapi Cloud please see our update guide and any relevant migration guides.
Note that the patched version was originally v4.13.1 however, there were a few hotfixes for some unrelated issues which is why we recommend upgrading straight to v4.13.5 or greater.
CVE-2023-36472: Leaking sensitive user information, user reset password tokens, via content-manager views
Summary of CVE-2023-36472 Vulnerability Details
- CVE: CVE-2023-36472
- CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N - Affected Versions: <=4.11.6
- How to Patch: Immediately update your Strapi to version >=4.11.7
Description of CVE-2023-36472
The content-manager plugin was not configured to filter out specific types of fields that cannot be assigned to views or, if allowed to be shown and these types were a relation it was possible to select a main field to be shown in the relation dropdown that included the value. This was corrected by properly limiting certain attributes from being unable to be shown within the content-manager views or by taking advantage of the previously built sanitization functions not to send the values of these to the admin panel.
This vulnerability requires direct authorized access to the Strapi admin panel and requires permissions to be able to modify the content-manager views.
IoC's for CVE-2023-36472
Review your content-manager views to ensure the main fields were not changed to private attributes. Due to the nature of this vulnerability, there are no other indicators of compromise.
Timeline for CVE-2023-36472
| Time | Event |
|---|---|
| 2023/06/19 08:35am GMT | Report of the vulnerability received by the Strapi Security Team |
| 2023/06/28 06:55am GMT | Vulnerability report was accepted by the Strapi Team |
| 2023/06/28 02:10pm GMT | Patch developed and pushed to internal fork for testing |
| 2023/06/28 02:22pm GMT | Patch verified internally and merged into the main codebase |
| 2023/06/28 12:36pm GMT | Experimental release as created and passed to the reporter to verify patch |
| 2023/06/28 01:49pm GMT | Reporter verified patch worked as expected |
| 2023/06/28 02:15pm GMT | Patch was released in Strapi version v4.11.7 |
| 2023/06/28 03:03pm GMT | GitHub issued CVE-2023-36472 per our request |
| 2023/06/28 03:15pm GMT | Disclosure communication placed on hold due to internal requirements and other vulnerability work being performed |
| 2023/07/20 05:21pm GMT | Disclosure placed on hold due to another related vulnerability |
| 2023/07/20 05:21pm GMT | New waiting period of an additional 2 weeks initiated |
| 2023/08/25 09:31pm GMT | Disclosure placed on hold due to another related vulnerability |
| 2023/08/31 10:44pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
| 2023/08/31 10:44pm GMT | Mandatory waiting period of 2 weeks initiated |
| 2023/09/13 05:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
| 2023/09/13 08:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
CVE-2023-38507: Improper Rate Limiting
Summary of CVE-2023-38507 Vulnerability Details
- CVE: CVE-2023-38507
- CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - Affected Versions: <=4.12.0
- How to Patch: Immediately update your Strapi to version >=4.12.1
Description of CVE-2023-38507
Due to a bug in the way the default rate-limiting middlewares were constructed and due to the way Koa.js parses the path when checking against koa-router, it was possible to bypass the rate limits by slightly altering the API requests and swapping out lower-case letters from upper-case or by adding a trailing slash to the request. Koa router will by default handle this when running the regex to match the routes but it does not update the internal reference within the ctx.request object and as such our default middlewares were constructing a rate-limit key that took the ctx.request.path literally with no transformation. This was corrected by properly constructing a new key that forces the path to lowercase and removes any extra trailing slash for the purposes of rate-limiting. Both the admin-api and users-permissions auth endpoints were fixed and their rate-limit middlewares harmonized to ensure the same rate-limit logic is applied to both in the correct way.
IoC's for CVE-2023-38507
Review your application logs to check for a large number of failed authentication requests in a short period of time. Due to the nature of this vulnerability, there are no other indicators of compromise.
Timeline for CVE-2023-38507
| Time | Event |
|---|---|
| 2023/06/05 07:55pm GMT | Report of the vulnerability received by the Strapi Security Team |
| 2023/06/12 09:27am GMT | Vulnerability report was accepted by the Strapi Team |
| 2023/06/21 03:58pm GMT | Reporter provided additional reproduction information and similar CVEs from other software |
| 2023/06/29 11:13pm GMT | Reporter asked for an update on when patch development would start |
| 2023/07/03 07:29pm GMT | Patch developer notified reporter that patch development would begin soon as we had some people on vacation |
| 2023/07/17 09:00pm GMT | Patch was developed and internal private PR created |
| 2023/07/17 09:00pm GMT | An experimental release was made with the changes communicated previously for testing |
| 2023/07/17 12:19am GMT | Reporter notified the Strapi Security Team that an additional workaround to the fix could still lead to vuln |
| 2023/07/19 07:27am GMT | Patch updated to fix additional workaround and new experimental released |
| 2023/07/26 01:19pm GMT | GitHub issued CVE-2023-38507 per our request |
| 2023/07/26 01:19pm GMT | Patch was released in Strapi version v4.12.1 |
| 2023/08/03 09:23pm GMT | Disclosure communication placed on hold due to internal requirements and other vulnerability work being performed |
| 2023/08/25 09:31pm GMT | Disclosure placed on hold due to another related vulnerability |
| 2023/08/31 10:44pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
| 2023/08/31 10:44pm GMT | Mandatory waiting period of 2 weeks initiated |
| 2023/09/13 05:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
| 2023/09/13 08:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
CVE-2023-37263: Field level permissions not being respected in relationship title
Summary of CVE-2023-37263 Vulnerability Details
- CVE: CVE-2023-37263
- CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N - Affected Versions: <=4.12.0
- How to Patch: Immediately update your Strapi to version >=4.12.1
Description of CVE-2023-37263
RBAC permissions were not being properly respected within the content-manager views allowing for private fields to be set as the entity title within the content-manager edit view. This was resolved; a check was added to validate if a set field is private or sensitive in nature and will no longer be shown as an option to the user to change the entity title too. Likewise, if any were changed they will instead default back to the entity's ID without any user modification needed.
IoC's for CVE-2023-37263
Review your content-manager views to ensure the title field was not changed to a private attribute. Due to the nature of this vulnerability, there are no other indicators of compromise.
Timeline for CVE-2023-37263
| Time | Event |
|---|---|
| 2023/07/01 04:46pm GMT | Report of the vulnerability received by the Strapi Security Team |
| 2023/07/06 04:26pm GMT | Vulnerability report was accepted by the Strapi Team |
| 2023/07/06 04:26pm GMT | GitHub issued CVE-2023-37263 per our request |
| 2023/07/25 03:34pm GMT | An experimental release was made with the changes communicated previously for testing |
| 2023/07/27 02:18pm GMT | Patch was released in Strapi version v4.12.1 |
| 2023/08/03 09:32pm GMT | Disclosure communication placed on hold due to internal requirements and other vulnerability work being performed |
| 2023/08/25 09:31pm GMT | Disclosure placed on hold due to another related vulnerability |
| 2023/08/31 10:44pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
| 2023/08/31 10:44pm GMT | Mandatory waiting period of 2 weeks initiated |
| 2023/09/13 05:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
| 2023/09/13 08:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
CVE-2023-39345: Unauthorized Access to Private Fields in User Registration API
Summary of CVE-2023-39345 Vulnerability Details
- CVE: CVE-2023-39345
- CVSS v3.1 Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L - Affected Versions: <4.13.1
- How to Patch: Immediately update your Strapi to version >=4.13.5
Description of CVE-2023-39345
In Strapi versions prior to v4.13.1, custom fields added to the users-permissions user were not properly validated or sanitized during registration as we were only handling fields which Strapi originally added.
For the fix on this, we opted to continue to allow users to handle custom fields during registration but added both a warning to users when the app starts and some configuration options to let them strictly control which custom fields are allowed to be set during registion (calling the /api/auth/local/register route).
For this vulnerability, we opted not to construct any IoCs since generally, it required manual user input for some custom fields but if you are unsure review your users-permissions content-type for any fields you added and check your registered users to confirm which fields have data in them and if they should.
For additional details on how to configure the allowed fields in this version please see the following documentation.
Timeline for CVE-2023-39345
| Time | Event |
|---|---|
| 2023/06/19 01:22am GMT | Report of the vulnerability received by the Strapi Security Team |
| 2023/07/07 06:04pm GMT | Vulnerability report was accepted by the Strapi Team |
| 2023/07/20 04:43pm GMT | An experimental release was made with the changes communicated previously for testing |
| 2023/08/04 06:45pm GMT | GitHub issued CVE-2023-39345 per our request |
| 2023/08/30 03:20pm GMT | Patch was released in Strapi version v4.13.1 |
| 2023/08/31 10:44pm GMT | Initial warning email was sent out to all Strapi Enterprise and Cloud Customers including Strapi partners with active enterprise contracts |
| 2023/08/31 10:44pm GMT | Mandatory waiting period of 2 weeks initiated |
| 2023/09/13 05:00pm GMT | Released the full disclosure of the vulnerability and published GitHub Advisories |
| 2023/09/13 08:00pm GMT | Disclosure email was sent out to all Strapi Enterprise and Cloud Customers, including Strapi partners with active enterprise contracts |
Commitment to Responsible Disclosure
We at Strapi do believe in responsible disclosure. In the case of these vulnerabilities, we have worked with the security researcher to ensure that the vulnerabilities were patched before the full disclosure of the vulnerabilities. Once a vulnerability is patched, we added a notice to our release notes to inform users there was a security vulnerability but initially wanted to delay detailed disclosure for a few weeks to give time for users to upgrade before the release of the full disclosure. As an additional step, we immediately notified our customers via several emails beforehand to ensure they were aware of the vulnerabilities and to upgrade their Strapi servers.
In this case, we believe that delaying the detailed disclosure was important to ensure that users had the time required to upgrade their Strapi servers before making the details of each vulnerability public, thus placing that information in the hands of bad actors. We also believe that the security researcher was very professional and responsible in handling the vulnerabilities, and we are very thankful for their work in helping us improve the security of Strapi.
We urge anyone who believes they have discovered a security vulnerability to assist us in responsibly disclosing the vulnerability to us by submitting a GitHub Advisory on our main repo or by contacting our security team via security@strapi.io.
Thanks,
The Strapi Security Team