CVE-2023-38507 - OpenCVE

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Strapi	Strapi

Configuration 1 [-]

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31	Issue Tracking
https://github.com/strapi/strapi/releases/tag/v4.12.1	Release Notes
https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-15T19:15:06.391Z

Updated: 2023-09-15T19:15:06.391Z

Reserved: 2023-07-18T16:28:12.078Z

Link: CVE-2023-38507

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-15T20:15:08.997

Modified: 2023-09-21T14:09:16.523

Link: CVE-2023-38507

JSON object: View

Redhat Information

No data.

CWE

CWE-770

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-38507", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.078Z", "datePublished": "2023-09-15T19:15:06.391Z", "dateUpdated": "2023-09-15T19:15:06.391Z"}, "containers": {"cna": {"title": "Strapi Improper Rate Limiting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"}, {"name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"version": "< 4.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T19:15:06.391Z"}, "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."}], "source": {"advisory": "GHSA-24q2-59hm-rh9r", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8A80799-A87E-41E1-9D7B-9F27E85A29BD", "versionEndExcluding": "4.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."}, {"lang": "es", "value": "Strapi es un sistema de gesti\u00f3n de contenidos headless de c\u00f3digo abierto. Antes de la versi\u00f3n 4.12.1, hab\u00eda un l\u00edmite de velocidad en la funci\u00f3n de inicio de sesi\u00f3n de la pantalla de administraci\u00f3n de Strapi, pero es posible evitarlo. Por lo tanto, aumenta la posibilidad de un inicio de sesi\u00f3n no autorizado mediante un ataque de fuerza bruta. La versi\u00f3n 4.12.1 tiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-38507", "lastModified": "2023-09-21T14:09:16.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-15T20:15:08.997", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}