Lucene search

Veracode Vulnerability DatabaseVERACODE:43283

HistorySep 15, 2023 - 7:36 a.m.

Improper Authorization

2023-09-1507:36:45

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

strapi

plugin

content-manager

improper authorization

vulnerability

field level permissions

rbac permission checks

relations.js

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

14.0%

JSON

@strapi/plugin-content-manager is vulnerable to Improper Authorization. The vulnerability is due to Field level permissions not being respected in the relationship title, as there are no RBAC permission checks to read the field in relations.js.

CPENameOperatorVersion
@strapi/plugin-content-managerle4.12.0
@strapi/plugin-content-managerle4.12.0

CPE	Name	Operator	Version
	@strapi/plugin-content-manager	le	4.12.0
	@strapi/plugin-content-manager	le	4.12.0

References

github.com/strapi/strapi/commit/5981e7e7c38a99b154e54aee2046c51d711b3a54

github.com/strapi/strapi/releases/tag/v4.12.1

github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc

strapi.io/blog/security-disclosure-of-vulnerabilities-sept-2023

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

0.0004 Low

EPSS

Percentile

14.0%

JSON

Related for VERACODE:43283