SB2023091374 - Multiple vulnerabilities in strapi

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-37263)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the relationship title handling in @strapi/plugin-content-manager when handling relation endpoint responses. A remote privileged user can access a relationship field configured as the title to disclose sensitive information.

User interaction is required to view the affected content in the content manager.

2) Improper Restriction of Excessive Authentication Attempts (CVE-ID: CVE-2023-38507)

The vulnerability allows a remote attacker to bypass authentication rate limiting.

The vulnerability exists due to improper restriction of excessive authentication attempts in the admin login function when handling login requests with modified request paths. A remote attacker can send specially crafted login requests with altered path casing or trailing slashes to bypass authentication rate limiting.

This affects the admin login endpoint and can increase the likelihood of successful brute-force login attempts.

Remediation

Install update from vendor's website.

References

• https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc
• https://github.com/advisories/GHSA-m284-85mf-cgrc
• https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r
• https://github.com/advisories/GHSA-24q2-59hm-rh9r