9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
27.5%
@strapi/admin and @strapi/plugin-users-permissions vulnerable to Improper Rate Limiting. The vulnerability is due to bypassable rate limiting logic in the admin
and user
authentication endpoints which could theoretically allow an attacker to brute force valid username and password combinations.
CPE | Name | Operator | Version |
---|---|---|---|
@strapi/plugin-users-permissions | le | 4.12.0 | |
@strapi/admin | le | 4.12.0 | |
@strapi/plugin-users-permissions | le | 4.12.0 | |
@strapi/admin | le | 4.12.0 |
github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31
github.com/strapi/strapi/commit/ed364d951a1e024e2497b8597d298bd60ee1df2f
github.com/strapi/strapi/releases/tag/v4.12.1
github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r