{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29181", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.092Z", "datePublished": "2024-06-12T14:46:04.902Z", "dateUpdated": "2024-06-12T15:36:12.536Z"}, "containers": {"cna": {"title": "@strapi/plugin-content-manager leaks data via relations via the Admin Panel", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"}, {"name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"version": "< 4.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-12T14:51:04.145Z"}, "descriptions": [{"lang": "en", "value": "Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch."}], "source": {"advisory": "GHSA-6j89-frxc-q26m", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "strapi", "product": "strapi", "cpes": ["cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.19.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T15:34:46.218421Z", "id": "CVE-2024-29181", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T15:36:12.536Z"}}]}}

{"descriptions": [{"lang": "en", "value": "Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch."}, {"lang": "es", "value": "Strapi es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. Antes de la versi\u00f3n 4.19.1, un superadministrador pod\u00eda crear una colecci\u00f3n en la que un elemento de la colecci\u00f3n tuviera una asociaci\u00f3n con otra colecci\u00f3n. Cuando esto sucede, otro usuario con rol de autor puede ver la lista de elementos asociados que no cre\u00f3. No deber\u00edan ver nada m\u00e1s que los elementos que crearon, no todos los elementos creados alguna vez. Los usuarios deben actualizar @strapi/plugin-content-manager a la versi\u00f3n 4.19.1 para recibir un parche."}], "id": "CVE-2024-29181", "lastModified": "2024-06-13T18:36:09.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-12T15:15:50.873", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"}, {"source": "security-advisories@github.com", "url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}