GHSA-9xg4-3qfm-9w8f

Suggest an improvement
Source
https://github.com/advisories/GHSA-9xg4-3qfm-9w8f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9xg4-3qfm-9w8f/GHSA-9xg4-3qfm-9w8f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9xg4-3qfm-9w8f
Aliases
Published
2023-07-25T17:17:37Z
Modified
2023-11-08T04:12:45.156522Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Leaking sensitive user information still possible by filtering on private with prefix fields
Details

Summary

Still able to leak private fields if using the t(number) prefix

Details

Knex query allows you to change there default prefix SqliteError: select distinct `t0`.* from `pages` as `t0` left join `admin_users` as `t1` on `t0`.`updated_by_id` = `t1`.`id` where (`t1`.`password` = 1) so if you change the prefix to the same as it was before or to an other table you want to query you query changes from password to t1.password password is protected by filtering protections but t1.password is not protected

PoC

1 Create a contentType 2 add to its options "populateCreatorFields" 3 create 1 entity in your new content type 4 in settings enable the find route in settings for the content type you created for public 5 /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=a%24 And now the api returns noting if you were to do /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=%24 it would return your entity

Impact

You can do filtering attacks on everything related to the object again including admin passwords and reset-tokens.

References

Affected packages

npm / @strapi/database

Package

Name
@strapi/database
View open source insights on deps.dev
Purl
pkg:npm/%40strapi/database

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.10.8

Database specific

{
    "last_known_affected_version_range": "<= 4.10.7"
}

npm / @strapi/utils

Package

Name
@strapi/utils
View open source insights on deps.dev
Purl
pkg:npm/%40strapi/utils

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.10.8

Database specific

{
    "last_known_affected_version_range": "<= 4.10.7"
}