Lucene search

[email protected]NVD:CVE-2023-38507

HistorySep 15, 2023 - 8:15 p.m.

CVE-2023-38507

2023-09-1520:15:08

CWE-770

[email protected]

web.nvd.nist.gov

strapi

open-source

content management system

rate limit

circumvention

vulnerability

unauthorized

fix

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

44.9%

JSON

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi’s admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

Affected configurations

Nvd

Node

strapistrapiRange<4.12.1

VendorProductVersionCPE
strapistrapi*cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
strapi	strapi	*	cpe:2.3:a:strapi:strapi::::::::

References

github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31

github.com/strapi/strapi/releases/tag/v4.12.1

github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

44.9%

JSON

Related for NVD:CVE-2023-38507

osv2 cve1 veracode1 github1 prion1 cvelist1 vulnrichment1