{
  "GSD": {
    "alias": "CVE-2023-22894",
    "id": "GSD-2023-22894"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-22894"
      ],
      "details": "Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.",
      "id": "GSD-2023-22894",
      "modified": "2023-12-13T01:20:43.315209Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-22894",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/strapi/strapi/releases",
            "refsource": "MISC",
            "url": "https://github.com/strapi/strapi/releases"
          },
          {
            "name": "https://www.ghostccamm.com/blog/multi_strapi_vulns/",
            "refsource": "MISC",
            "url": "https://www.ghostccamm.com/blog/multi_strapi_vulns/"
          },
          {
            "name": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve",
            "refsource": "MISC",
            "url": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=3.2.1 \u003c4.8.0",
          "affected_versions": "All versions starting from 3.2.1 before 4.8.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-04-20",
          "description": "Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.",
          "fixed_versions": [
            "4.8.0"
          ],
          "identifier": "CVE-2023-22894",
          "identifiers": [
            "GHSA-jjqf-j4w7-92w8",
            "CVE-2023-22894"
          ],
          "not_impacted": "All versions before 3.2.1, all versions starting from 4.8.0",
          "package_slug": "npm/@strapi/strapi",
          "pubdate": "2023-04-19",
          "solution": "Upgrade to version 4.8.0 or above.",
          "title": "Strapi leaking sensitive user information by filtering on private fields",
          "urls": [
            "https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-22894",
            "https://github.com/strapi/strapi/releases",
            "https://github.com/strapi/strapi/releases/tag/v4.8.0",
            "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve",
            "https://www.ghostccamm.com/blog/multi_strapi_vulns/",
            "https://github.com/advisories/GHSA-jjqf-j4w7-92w8"
          ],
          "uuid": "58899736-eb10-4279-8364-63b1fde8ee37"
        },
        {
          "affected_range": "\u003e=3.2.1 \u003c4.8.0",
          "affected_versions": "All versions starting from 3.2.1 before 4.8.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-312",
            "CWE-937"
          ],
          "date": "2023-05-01",
          "description": "Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.",
          "fixed_versions": [],
          "identifier": "CVE-2023-22894",
          "identifiers": [
            "CVE-2023-22894"
          ],
          "not_impacted": "",
          "package_slug": "npm/strapi",
          "pubdate": "2023-04-19",
          "solution": "Unfortunately, there is no solution available yet.",
          "title": "Cleartext Storage of Sensitive Information",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-22894",
            "https://www.ghostccamm.com/blog/multi_strapi_vulns/",
            "https://github.com/strapi/strapi/releases",
            "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve"
          ],
          "uuid": "a712858d-901e-4aab-ad76-b84c48833ed2"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.8.0",
                "versionStartIncluding": "3.2.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2023-22894"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-312"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ghostccamm.com/blog/multi_strapi_vulns/",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://www.ghostccamm.com/blog/multi_strapi_vulns/"
            },
            {
              "name": "https://github.com/strapi/strapi/releases",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/strapi/strapi/releases"
            },
            {
              "name": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Vendor Advisory"
              ],
              "url": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-05-01T18:10Z",
      "publishedDate": "2023-04-19T16:15Z"
    }
  }
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/strapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.1"
            },
            {
              "fixed": "4.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-22894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-19T21:41:26Z",
    "nvd_published_at": "2023-04-19T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nStrapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users.\n\n### Details\n\nStrapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. The unauthenticated attacker can filter users by columns that contain sensitive information and infer the values by the changes in the API responses. An unauthenticated attacker can exploit this vulnerability to hijack Strapi administrator accounts and gain unauthorized Strapi Super Administrator access by leaking the password reset token and changing the admin password. This can be exploited on all Strapi versions \u003c=4.7.1.\n\n### IoC\n\nThe exploitation of CVE-2023-22894 is easily detectable, since the payload is within the GET parameters and are normally included in request logs. The following regex pattern will extract requests that are exploiting this vulnerability to leak user\u0027s email, password and password reset token columns.\n\n`/(\\[|%5B)\\s*(email|password|reset_password_token|resetPasswordToken)\\s*(\\]|%5D)/`\n\nYou can search log files for this IoC by using the following grep command.\n\n`grep -iE \u0027(\\[|%5B)\\s*(email|password|reset_password_token|resetPasswordToken)\\s*(\\]|%5D)\u0027 $PATH_TO_LOG_FILE`\n\nIf the above regex pattern matches any lines in your log files, take extra precaution to look out for multiple requests that include password, reset_password_token or resetPasswordToken. This would indicate that an attacker has leaked the password hashes and reset tokens on your Strapi server and you need to immediately start an incident response!\n\n### Impact\n\nAll Strapi users below 4.8.0\n",
  "id": "GHSA-jjqf-j4w7-92w8",
  "modified": "2023-04-19T21:41:26Z",
  "published": "2023-04-19T21:41:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-jjqf-j4w7-92w8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22894"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v4.8.0"
    },
    {
      "type": "WEB",
      "url": "https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve"
    },
    {
      "type": "WEB",
      "url": "https://www.ghostccamm.com/blog/multi_strapi_vulns"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strapi leaking sensitive user information by filtering on private fields"
}