Lucene search
GoogleOSV:CVE-2023-22893HistoryApr 19, 2023 - 4:15 p.m.
CVE-2023-22893
2023-04-1916:15:07
Google
osv.dev
2
0.003 Low
EPSS
Percentile
69.4%
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the ‘None’ type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
| CPE | Name | Operator | Version |
|---|---|---|---|
| strapi | eq | 4.0.0-beta.14 | |
| strapi | eq | 4.0.0-beta.5 | |
| strapi | eq | 4.2.0-beta.4 | |
| strapi | eq | 3.3.1 | |
| strapi | eq | 4.0.0-beta.20 | |
| strapi | eq | 3.1.7 | |
| strapi | eq | 4.0.3 | |
| strapi | eq | 4.1.10 | |
| strapi | eq | 4.4.6 | |
| strapi | eq | 4.1.0 |
Related
github
github
Strapi does not verify the access or ID tokens issued during the OAuth flow
2023-04-19 18:33:22
osv
osv
Strapi does not verify the access or ID tokens issued during the OAuth flow
2023-04-19 18:33:22
prion
prion
Authentication flaw
2023-04-19 16:15:00
cvelist
cvelist
CVE-2023-22893
2023-04-19 00:00:00
veracode
veracode
Authentication Bypass
2023-04-27 13:12:18
cve
cve
CVE-2023-22893
2023-04-19 16:15:07
wallarmlab
wallarmlab
ChatGPT: Friend or Foe? | API Security Newsletter
2023-05-16 13:58:20