Remote code execution in Strapi



Published: 2019-12-06 | Updated: 2022-09-25
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-19609
CWE-ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
strapi
Web applications / CMS

Vendor strapi.io

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated 09.12.2019
Updated description and severity

1) Input validation error

EUVDB-ID: #VU23442

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-19609

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input in the "installPlugin" and "uninstallPlugin" handler functions. A remote authenticated administrator can execute arbitrary code on the target system via the "execa" function.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

strapi: 1.0.0 - 3.0.0 beta.17.7


CPE2.3 External links

http://bittherapy.net/post/strapi-framework-remote-code-execution/
http://github.com/strapi/strapi/pull/4636

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###