CVE-2024-29181 - OpenCVE

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Strapi	Strapi

Configuration 1 [-]

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m

History

Thu, 26 Sep 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Strapi Strapi strapi
CPEs		cpe:2.3:a:strapi:strapi::::::::
Vendors & Products		Strapi Strapi strapi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-06-12T14:46:04.902Z

Updated: 2024-08-02T01:10:54.079Z

Reserved: 2024-03-18T17:07:00.092Z

Link: CVE-2024-29181

Vulnrichment

Updated: 2024-08-02T01:10:54.079Z

NVD

Status : Analyzed

Published: 2024-06-12T15:15:50.873

Modified: 2024-09-26T14:48:34.893

Link: CVE-2024-29181

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29181", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-18T17:07:00.092Z", "datePublished": "2024-06-12T14:46:04.902Z", "dateUpdated": "2024-08-02T01:10:54.079Z"}, "containers": {"cna": {"title": "@strapi/plugin-content-manager leaks data via relations via the Admin Panel", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"}, {"name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"version": "< 4.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-12T14:51:04.145Z"}, "descriptions": [{"lang": "en", "value": "Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch."}], "source": {"advisory": "GHSA-6j89-frxc-q26m", "discovery": "UNKNOWN"}}, "adp": [{"affected": [{"vendor": "strapi", "product": "strapi", "cpes": ["cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "4.19.1", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-12T15:34:46.218421Z", "id": "CVE-2024-29181", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T15:36:12.536Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.079Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"}, {"name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:54.079Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29181", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-12T15:34:46.218421Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*"], "vendor": "strapi", "product": "strapi", "versions": [{"status": "affected", "version": "0", "lessThan": "4.19.1", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-12T15:36:02.074Z"}}], "cna": {"title": "@strapi/plugin-content-manager leaks data via relations via the Admin Panel", "source": {"advisory": "GHSA-6j89-frxc-q26m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "strapi", "product": "strapi", "versions": [{"status": "affected", "version": "< 4.19.1"}]}], "references": [{"url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "name": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "name": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-12T14:51:04.145Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29181", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:10:54.079Z", "dateReserved": "2024-03-18T17:07:00.092Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-12T14:46:04.902Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*", "matchCriteriaId": "BDFAF527-F672-4CA8-80E4-896AA7FEA40B", "versionEndExcluding": "4.19.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch."}, {"lang": "es", "value": "Strapi es un sistema de gesti\u00f3n de contenidos de c\u00f3digo abierto. Antes de la versi\u00f3n 4.19.1, un superadministrador pod\u00eda crear una colecci\u00f3n en la que un elemento de la colecci\u00f3n tuviera una asociaci\u00f3n con otra colecci\u00f3n. Cuando esto sucede, otro usuario con rol de autor puede ver la lista de elementos asociados que no cre\u00f3. No deber\u00edan ver nada m\u00e1s que los elementos que crearon, no todos los elementos creados alguna vez. Los usuarios deben actualizar @strapi/plugin-content-manager a la versi\u00f3n 4.19.1 para recibir un parche."}], "id": "CVE-2024-29181", "lastModified": "2024-09-26T14:48:34.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-06-12T15:15:50.873", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}