Lucene search

GitHub_MCVELIST:CVE-2023-38507

HistorySep 15, 2023 - 7:15 p.m.

CVE-2023-38507 Strapi Improper Rate Limiting vulnerability

2023-09-1519:15:06

CWE-770

GitHub_M

www.cve.org

strapi

content management system

rate limit

bypass

vulnerability

fixed

version 4.12.1

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.5%

JSON

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi’s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

CNA Affected

[
  {
    "vendor": "strapi",
    "product": "strapi",
    "versions": [
      {
        "version": "< 4.12.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31

github.com/strapi/strapi/releases/tag/v4.12.1

github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.5%

JSON

Related for CVELIST:CVE-2023-38507