CVE-2023-22893

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...

Attacking AWS Cognito with Pacu (p1)

The post Attacking AWS Cognito with Pacu p1 appeared first on Rhino Security Labs...

Authentication Bypass

@strapi/plugin-users-permissions is vulnerable to Authentication Bypass. When using the AWS Cognito login provider for authentication, the library doesn't check access or ID tokens generated throughout the OAuth flow. A remote attacker might impersonate any user using AWS Cognito by fabricating a...

Strapi does not verify the access or ID tokens issued during the OAuth flow

Strapi 3.2.1 until 4.6.0 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user...

GHSA-583X-23H9-F5W7 Strapi does not verify the access or ID tokens issued during the OAuth flow

Strapi 3.2.1 until 4.6.0 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user...

CVE-2023-22893

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...

Authentication flaw

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...

CVE-2023-22893

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...

CVE-2023-22893

Affected software : Strapi (open-source CMS) prior to 4.5.6. Vulnerability : Strapi versions up to 4.5.5/4.5.6-era did not verify access or ID tokens during the OAuth flow when using the AWS Cognito login provider, allowing a remote attacker to forge a token and bypass authentication. Root cause ...

CVE-2023-22893

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...

Authentication Bypass in @strapi/plugin-users-permissions

Summary Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. Details Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider i...

GHSA-XV3Q-JRMM-4FXV Authentication Bypass in @strapi/plugin-users-permissions

Summary Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. Details Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider i...

Flickr: Flickr Account Takeover using AWS Cognito API

Flickr uses Amazon Cognito to implement its login functionality. Furthermore, Flickr does not allow users to change their registered e-mail address via the user interface. This restriction can be bypassed via direct communication with the Amazon Cognito User Pool API. Consider we have the followi...

BugPoC: Users can Change their Own Email Address

BugPoC uses AWS Cognito for authentication and user pool management. @vasi42 noticed that they were able to use the Cognito API, UpdateUserAttributes, to update their own email address. Calling this API without subsequently calling the VerifyUserAttribute API puts your account into an unverified...

Courier: Bypass Too Many Requests Sign Up

Courier makes a rate limit check before allowing a user to register; this rate limit check can be bypassed and a user account can be created by sending a request directly to the AWS Cognito API – which is not rate limited...

Courier: SSO Provider Credential Cache (logged out of Google/GitHub, could still log into Courier)

After researching this further, our authentication provider Amazon's AWS Cognito caches the access token provided by Google, GitHub, and other SSO providers within their system for up to an hour and does not check against the SSO provider's API again until that cache has expired. We did verify th...

Design/Logic Flaw

Amazon AWS SDK =2.8.5 for Android uses Android SharedPreferences to store plain text AWS STS Temporary Credentials retrieved by AWS Cognito Identity Service. An attacker can use these credentials to create authenticated and/or authorized requests. Note that the attacker must have "root" privilege...