GHSA-9xg4-3qfm-9w8f

Source

https://github.com/advisories/GHSA-9xg4-3qfm-9w8f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-9xg4-3qfm-9w8f/GHSA-9xg4-3qfm-9w8f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9xg4-3qfm-9w8f

Aliases

CVE-2023-34235

Related

CVE-2023-34235

Published

2023-07-25T17:17:37Z

Modified

2023-11-08T04:12:45.156522Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Leaking sensitive user information still possible by filtering on private with prefix fields

Details

Summary

Still able to leak private fields if using the t(number) prefix

Details

Knex query allows you to change there default prefix SqliteError: select distinct `t0`.* from `pages` as `t0` left join `admin_users` as `t1` on `t0`.`updated_by_id` = `t1`.`id` where (`t1`.`password` = 1) so if you change the prefix to the same as it was before or to an other table you want to query you query changes from password to t1.password password is protected by filtering protections but t1.password is not protected

PoC

1 Create a contentType 2 add to its options "populateCreatorFields" 3 create 1 entity in your new content type 4 in settings enable the find route in settings for the content type you created for public 5 /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=a%24 And now the api returns noting if you were to do /api/(Your contenttype)?filters%5BupdatedBy%5D%5Bt1.password%5D%5B%24startsWith%5D=%24 it would return your entity

Impact

You can do filtering attacks on everything related to the object again including admin passwords and reset-tokens.

Database specific

{
    "nvd_published_at": "2023-07-25T18:15:10Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T17:17:37Z"
}

References

Affected packages

npm / @strapi/database

Package

Name: @strapi/database; View open source insights on deps.dev
Purl: pkg:npm/%40strapi/database

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.10.8

Database specific

{
    "last_known_affected_version_range": "<= 4.10.7"
}

npm / @strapi/utils

Package

Name: @strapi/utils; View open source insights on deps.dev
Purl: pkg:npm/%40strapi/utils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.10.8

Database specific

{
    "last_known_affected_version_range": "<= 4.10.7"
}