CVE-2023-37263 - Vulnerability Details - OpenCVE

Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00085.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Strapi	Strapi

Configuration 1 [-]

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2540	Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.
Github GHSA	GHSA-m284-85mf-cgrc	Strapi's field level permissions not being respected in relationship title

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/strapi/strapi/releases/tag/v4.12.1
https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc

History

Wed, 25 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-15T18:57:09.623Z

Updated: 2024-09-25T14:58:52.828Z

Reserved: 2023-06-29T19:35:26.437Z

Link: CVE-2023-37263

Vulnrichment

Updated: 2024-08-02T17:09:33.930Z

NVD

Status : Modified

Published: 2023-09-15T19:15:08.637

Modified: 2024-11-21T08:11:20.737

Link: CVE-2023-37263

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37263", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-29T19:35:26.437Z", "datePublished": "2023-09-15T18:57:09.623Z", "dateUpdated": "2024-09-25T14:58:52.828Z"}, "containers": {"cna": {"title": "Strapi's field level permissions not being respected in relationship title", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"version": "< 4.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T18:57:09.623Z"}, "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue."}], "source": {"advisory": "GHSA-m284-85mf-cgrc", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:09:33.930Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T14:58:02.647197Z", "id": "CVE-2023-37263", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T14:58:52.828Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "name": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:09:33.930Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37263", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T14:58:02.647197Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T14:58:34.057Z"}}], "cna": {"title": "Strapi's field level permissions not being respected in relationship title", "source": {"advisory": "GHSA-m284-85mf-cgrc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"status": "affected", "version": "< 4.12.1"}]}], "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "name": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T18:57:09.623Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37263", "state": "PUBLISHED", "dateUpdated": "2024-09-25T14:58:52.828Z", "dateReserved": "2023-06-29T19:35:26.437Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-15T18:57:09.623Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8A80799-A87E-41E1-9D7B-9F27E85A29BD", "versionEndExcluding": "4.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don't have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue."}, {"lang": "es", "value": "Strapi es un sistema de gesti\u00f3n de contenidos headless de c\u00f3digo abierto. Antes de la versi\u00f3n 4.12.1, los permisos a nivel de campo no se respetaban en el t\u00edtulo de la relaci\u00f3n. Si un actor tiene un t\u00edtulo de relaci\u00f3n y la relaci\u00f3n muestra un campo para el que no tiene permiso para ver, el campo seguir\u00e1 estando visible. La versi\u00f3n 4.12.1 tiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-37263", "lastModified": "2024-11-21T08:11:20.737", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-15T19:15:08.637", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-m284-85mf-cgrc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}