Improper Authentication in strapi - CVE-2023-22893

 

Improper Authentication in strapi - CVE-2023-22893

Published: May 3, 2023


Vulnerability identifier: #VU75700
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2023-22893
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: strapi.io
Affected software:
strapi

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the affected application does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker can bypass authentication process and gain unauthorized access to the application.


How to mitigate CVE-2023-22893

Install updates from vendor's website.

Sources