CVE-2023-38507 - Vulnerability Details - OpenCVE

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00255.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Strapi	Strapi

Configuration 1 [-]

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-2389	Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.
Github GHSA	GHSA-24q2-59hm-rh9r	Strapi Improper Rate Limiting vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31
https://github.com/strapi/strapi/releases/tag/v4.12.1
https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r

History

Wed, 25 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-09-15T19:15:06.391Z

Updated: 2024-09-25T18:05:58.465Z

Reserved: 2023-07-18T16:28:12.078Z

Link: CVE-2023-38507

Vulnrichment

Updated: 2024-08-02T17:46:55.754Z

NVD

Status : Modified

Published: 2023-09-15T20:15:08.997

Modified: 2024-11-21T08:13:43.200

Link: CVE-2023-38507

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38507", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-07-18T16:28:12.078Z", "datePublished": "2023-09-15T19:15:06.391Z", "dateUpdated": "2024-09-25T18:05:58.465Z"}, "containers": {"cna": {"title": "Strapi Improper Rate Limiting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"}, {"name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"version": "< 4.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T19:15:06.391Z"}, "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."}], "source": {"advisory": "GHSA-24q2-59hm-rh9r", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:55.754Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"}, {"name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"}, {"name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-25T18:05:45.725783Z", "id": "CVE-2023-38507", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T18:05:58.465Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:46:55.754Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-38507", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-25T18:05:45.725783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-25T18:05:52.828Z"}}], "cna": {"title": "Strapi Improper Rate Limiting vulnerability", "source": {"advisory": "GHSA-24q2-59hm-rh9r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"status": "affected", "version": "< 4.12.1"}]}], "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "name": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "name": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "name": "https://github.com/strapi/strapi/releases/tag/v4.12.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-09-15T19:15:06.391Z"}}}, "cveMetadata": {"cveId": "CVE-2023-38507", "state": "PUBLISHED", "dateUpdated": "2024-09-25T18:05:58.465Z", "dateReserved": "2023-07-18T16:28:12.078Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-09-15T19:15:06.391Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "F8A80799-A87E-41E1-9D7B-9F27E85A29BD", "versionEndExcluding": "4.12.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue."}, {"lang": "es", "value": "Strapi es un sistema de gesti\u00f3n de contenidos headless de c\u00f3digo abierto. Antes de la versi\u00f3n 4.12.1, hab\u00eda un l\u00edmite de velocidad en la funci\u00f3n de inicio de sesi\u00f3n de la pantalla de administraci\u00f3n de Strapi, pero es posible evitarlo. Por lo tanto, aumenta la posibilidad de un inicio de sesi\u00f3n no autorizado mediante un ataque de fuerza bruta. La versi\u00f3n 4.12.1 tiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-38507", "lastModified": "2024-11-21T08:13:43.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-15T20:15:08.997", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/strapi/strapi/releases/tag/v4.12.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}