SECURITY
SECURITY
SECURITY
JSON vulnerabilities in Strapi open the door to hackers and data theft
The Synopsys Cybersecurity Research Center has uncovered two critical vulnerabilities in JSON that can expose data in the open-source Node.js headless content management system Strapi.
The two vulnerabilities, named CVE-2022-30617 and CVE-2022-30618, are described as sensitive data exposure vulnerabilities that may lead to account compromise in the admin panel of Strapi.
That’s a popular open-source headless CMS software built in JavaScript that allows users to design and build application programming interfaces quickly. The Strapi admin panel is a web-based user interface that allows users to define the API’s content types and manage it.
CVE-2022-30617 is said to expose sensitive data if admin panel users in a JSON response. CVE-2022-30618 does likewise. The vulnerabilities affect Strapi v3 up to v3.6.9 and Strapi v4 beta versions up to v4.0.0-beta.15.
The researchers explain the first vulnerability allows an authenticated user with access to the Strapi admin panel to view private and sensitive data. This includes email and password reset tokens as well as details of other admin panel users that have a relationship with content accessible to the authenticated user.
In an example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super Admin” that has updated one of the author’s blog posts. Other scenarios include details from other users could be leaked in the JSON response, either through a direct or indirect relationship.
The second vulnerability opens the door for an authenticated user with access to the Strapi admin panel to view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contains relationships to API users.
The researchers explain that there are many scenarios where such details from API users that can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user gets access to a high-privileged API account, and can thereby read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.
The good news is that the release of the details comes well after the issue was addressed, but as is sadly typical, not everyone updates software in a timely fashion. The researchers first informed Strapi in November and later releases fixed the issue.
Image: Strapi
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
