Strapi releases update addressing two bugs that lead to data exposure
Popular open source content management system (CMS) Strapi released patches addressing two vulnerabilities that would allow hackers to view private and sensitive data, such as email and password reset tokens.
Strapi is known for its “headless” CMS, which means the front end and back end of the system are completely separate. Thousands of companies use the software, according to David Johansson, principal security consultant at Synopsys Software Integrity Group, which discovered the issues.
The vulnerabilities were discovered in November and Strapi initially patched CVE-2022-30617 that same month. But other issues were found, and another patch was issued for CVE-2022-30617 and CVE-2022-30618 on May 11.
CVE-2022-30617 has a CVSS base score of 8.8 and CVE-2022-30618 has a score of 7.5.
Johansson said Strapi has nearly 40,000 weekly downloads on NPM for its latest release and about 25,000 weekly downloads for its older version.
His team found the vulnerabilities in the admin panel and said they could easily lead to account compromise.
He was unsure of how many installations are currently vulnerable but considering the patch was only released in recent weeks, it is “reasonable to assume that not everyone has upgraded yet.”
“Excessive data exposure is a very widespread weakness and listed as #3 in OWASP API Security Top 10 list. A malicious user that has access to the Strapi web-based UI (e.g., a content author) can use the vulnerabilities to compromise other accounts in the platform,” he explained.
“In general, this means that an attacker could read and edit content belonging to other authors, and if the compromised user account has a different user role the attacker may be able to gain additional privileges.”
According to Johansson, a worst case scenario would be a situation where a “Super Admin” account is targeted, leading to total compromise of the Strapi installation.
That would allow an attacker to read, modify or delete any content and change or revoke permissions for all other users.
“While the worst-case scenario is a possible result from both CVE-2022-30617 (primarily affecting v3) and CVE-2022-30618 (affecting both v3 and v4), in practice it is much less likely to occur with the latter (CVE-2022-30618) since it targets API users, who are less likely to have been configured with such powerful permissions,” he added.