The Synopsys Cybersecurity Research Center has uncovered two critical vulnerabilities in JSON that can expose data in the open-source Node.js headless content management system Strapi.

The two vulnerabilities, named CVE-2022-30617 and CVE-2022-30618, are described as sensitive data exposure vulnerabilities that may lead to account compromise in the admin panel of Strapi.

That’s a popular open-source headless CMS software built in JavaScript that allows users to design and build application programming interfaces quickly. The Strapi admin panel is a web-based user interface that allows users to define the API’s content types and manage it.

CVE-2022-30617 is said to expose sensitive data if admin panel users in a JSON response. CVE-2022-30618 does likewise. The vulnerabilities affect Strapi v3 up to v3.6.9 and Strapi v4 beta versions up to v4.0.0-beta.15.

The researchers explain the first vulnerability allows an authenticated user with access to the Strapi admin panel to view private and sensitive data. This includes email and password reset tokens as well as details of other admin panel users that have a relationship with content accessible to the authenticated user.

In an example, a low-privileged “author” role account can view these details in the JSON response for an “editor” or “super Admin” that has updated one of the author’s blog posts. Other scenarios include details from other users could be leaked in the JSON response, either through a direct or indirect relationship.

The second vulnerability opens the door for an authenticated user with access to the Strapi admin panel to view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contains relationships to API users.

The researchers explain that there are many scenarios where such details from API users that can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user gets access to a high-privileged API account, and can thereby read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.

The good news is that the release of the details comes well after the issue was addressed, but as is sadly typical, not everyone updates software in a timely fashion. The researchers first informed Strapi in November and later releases fixed the issue.

Image: Strapi