Main Vulnerability Database Vulnerabilities #VU75700

Improper Authentication in strapi - CVE-2023-22893

Published: May 3, 2023

Vulnerability identifier: #VU75700

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2023-22893

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
strapi

Software vendor:
strapi.io

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected application does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Remediation

Install updates from vendor's website.

External links

https://www.ghostccamm.com/blog/multi_strapi_vulns/
https://github.com/strapi/strapi/releases
https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

Improper Authentication in strapi - CVE-2023-22893

Description

Remediation

External links

Please verify you're human