CVE-2023-37263 - OpenCVE

Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Strapi	Strapi

Configuration 1 [-]

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/strapi/strapi/releases/tag/v4.12.1
https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-15T18:57:09.623Z

Updated: 2024-08-02T17:09:33.930Z

Reserved: 2023-06-29T19:35:26.437Z

Link: CVE-2023-37263

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-09-15T19:15:08.637

Modified: 2023-09-20T15:38:23.920

Link: CVE-2023-37263

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37263", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-29T19:35:26.437Z", "datePublished": "2023-09-15T18:57:09.623Z", "dateUpdated": "2024-08-02T17:09:33.930Z"}, "containers": {"cna": {"title": "Strapi's field level permissions not being respected in relationship title", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"version": "< 4.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T18:57:09.623Z"}, "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue."}], "source": {"advisory": "GHSA-m284-85mf-cgrc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:09:33.930Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8A80799-A87E-41E1-9D7B-9F27E85A29BD", "versionEndExcluding": "4.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue."}, {"lang": "es", "value": "Strapi es un sistema de gesti\u00f3n de contenidos headless de c\u00f3digo abierto. Antes de la versi\u00f3n 4.12.1, los permisos a nivel de campo no se respetaban en el t\u00edtulo de la relaci\u00f3n. Si un actor tiene un t\u00edtulo de relaci\u00f3n y la relaci\u00f3n muestra un campo para el que no tiene permiso para ver, el campo seguir\u00e1 estando visible. La versi\u00f3n 4.12.1 tiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-37263", "lastModified": "2023-09-20T15:38:23.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-09-15T19:15:08.637", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}