Lucene search

Veracode Vulnerability DatabaseVERACODE:44326

HistoryNov 21, 2023 - 5:45 a.m.

Improper Authorization

2023-11-2105:45:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

improper authorization

vulnerability

strapi-plugin-protected-populate

protectpopulate

protect-route.js

field-level security bypass

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.9%

JSON

strapi-plugin-protected-populate is vulnerable to Improper Authorization. The vulnerability is due to the protectPopulate function of protect-route.js, which allows a users to populate fields they don’t have access, resulting in field-level security bypass.

CPENameOperatorVersion
strapi-plugin-protected-populatele1.3.3
strapi-plugin-protected-populatele1.3.3

CPE	Name	Operator	Version
	strapi-plugin-protected-populate	le	1.3.3
	strapi-plugin-protected-populate	le	1.3.3

References

github.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39

github.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4

github.com/strapi-community/strapi-plugin-protected-populate/security/advisories/GHSA-6h67-934r-82g7

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.9%

JSON

Related for VERACODE:44326