cve-2024-29181
Vulnerability from cvelistv5
Published
2024-06-12 14:46
Modified
2024-08-02 01:10
Severity ?
EPSS score ?
Summary
@strapi/plugin-content-manager leaks data via relations via the Admin Panel
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "strapi",
"vendor": "strapi",
"versions": [
{
"lessThan": "4.19.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29181",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T15:34:46.218421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T15:36:12.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:10:54.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"
},
{
"name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "strapi",
"vendor": "strapi",
"versions": [
{
"status": "affected",
"version": "\u003c 4.19.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T14:51:04.145Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"
},
{
"name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"
}
],
"source": {
"advisory": "GHSA-6j89-frxc-q26m",
"discovery": "UNKNOWN"
},
"title": "@strapi/plugin-content-manager leaks data via relations via the Admin Panel"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29181",
"datePublished": "2024-06-12T14:46:04.902Z",
"dateReserved": "2024-03-18T17:07:00.092Z",
"dateUpdated": "2024-08-02T01:10:54.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2024-29181\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-12T15:15:50.873\",\"lastModified\":\"2024-09-26T14:48:34.893\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.\"},{\"lang\":\"es\",\"value\":\"Strapi es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. Antes de la versi\u00f3n 4.19.1, un superadministrador pod\u00eda crear una colecci\u00f3n en la que un elemento de la colecci\u00f3n tuviera una asociaci\u00f3n con otra colecci\u00f3n. Cuando esto sucede, otro usuario con rol de autor puede ver la lista de elementos asociados que no cre\u00f3. No deber\u00edan ver nada m\u00e1s que los elementos que crearon, no todos los elementos creados alguna vez. Los usuarios deben actualizar @strapi/plugin-content-manager a la versi\u00f3n 4.19.1 para recibir un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":2.3,\"baseSeverity\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.19.1\",\"matchCriteriaId\":\"BDFAF527-F672-4CA8-80E4-896AA7FEA40B\"}]}]}],\"references\":[{\"url\":\"https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}"
}
}
gsd-2024-29181
Vulnerability from gsd
Modified
2024-04-02 05:02
Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-29181"
],
"id": "GSD-2024-29181",
"modified": "2024-04-02T05:02:57.486198Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2024-29181",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
}
}
}
ghsa-6j89-frxc-q26m
Vulnerability from github
Published
2024-06-12 19:38
Modified
2024-06-12 19:38
Severity ?
Summary
@strapi/plugin-content-manager leaks data via relations via the Admin Panel
Details
Summary
- If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.
Details
At the top level every collection shows blank items for an Author if they did not create the item. This is ideal and works great. However if you associate one private collection to another private collection and an Author creates a new item. The pull down should not show the admins list of previously created items. It should be blank unitl they add their own items.
PoC
- Sign in as Admin. Navigate to content creation.
- Select a collection and verify you have items you created there. And that they have associations to other protected collections.
- Verify role permissions for your collections are set to CRUD if user created.
- Log out and sign in as a unrelated Author.
- Navigate to content management and verify you see collections built by admin but empty for you (as expected)
- Create a new item as an Author and see the card appear with attributes to fill out.
- Use the form pull down for the associations.
- Notice that protected collection items from Admin appear in drop down. These should be hidden
Impact
Security vulnerability where authors have access to protected data created by admin. This could be passwords emails or any other item created for the admin's collection.
See images below for more context
Permissions set
Good at top level no items seen
Drop down in Author login can see Admin data
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@strapi/plugin-content-manager"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.19.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-29181"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-12T19:38:01Z",
"nvd_published_at": "2024-06-12T15:15:50Z",
"severity": "LOW"
},
"details": "### Summary\n1. If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.\n\n### Details\nAt the top level every collection shows blank items for an Author if they did not create the item. This is ideal and works great. However if you associate one private collection to another private collection and an Author creates a new item. The pull down should not show the admins list of previously created items. It should be blank unitl they add their own items.\n\n### PoC\n1. Sign in as Admin. Navigate to content creation.\n2. Select a collection and verify you have items you created there. And that they have associations to other protected collections.\n3. Verify role permissions for your collections are set to CRUD if user created.\n4. Log out and sign in as a unrelated Author.\n5. Navigate to content management and verify you see collections built by admin but empty for you (as expected)\n6. Create a new item as an Author and see the card appear with attributes to fill out.\n7. Use the form pull down for the associations.\n8. Notice that protected collection items from Admin appear in drop down. These should be hidden\n\n### Impact\nSecurity vulnerability where authors have access to protected data created by admin. This could be passwords emails or any other item created for the admin\u0027s collection. \n\nSee images below for more context\n\nPermissions set\n\n\nGood at top level no items seen\n\n\nDrop down in Author login can see Admin data\n\n",
"id": "GHSA-6j89-frxc-q26m",
"modified": "2024-06-12T19:38:02Z",
"published": "2024-06-12T19:38:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29181"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "@strapi/plugin-content-manager leaks data via relations via the Admin Panel"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.