Skip to content

@strapi/plugin-content-manager leaks data via relations via the Admin Panel

Low severity GitHub Reviewed Published Jun 12, 2024 in strapi/strapi • Updated Jun 14, 2024

Package

npm @strapi/plugin-content-manager (npm)

Affected versions

< 4.19.1

Patched versions

4.19.1

Description

Summary

  1. If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.

Details

At the top level every collection shows blank items for an Author if they did not create the item. This is ideal and works great. However if you associate one private collection to another private collection and an Author creates a new item. The pull down should not show the admins list of previously created items. It should be blank unitl they add their own items.

PoC

  1. Sign in as Admin. Navigate to content creation.
  2. Select a collection and verify you have items you created there. And that they have associations to other protected collections.
  3. Verify role permissions for your collections are set to CRUD if user created.
  4. Log out and sign in as a unrelated Author.
  5. Navigate to content management and verify you see collections built by admin but empty for you (as expected)
  6. Create a new item as an Author and see the card appear with attributes to fill out.
  7. Use the form pull down for the associations.
  8. Notice that protected collection items from Admin appear in drop down. These should be hidden

Impact

Security vulnerability where authors have access to protected data created by admin. This could be passwords emails or any other item created for the admin's collection.

See images below for more context

Permissions set
image

Good at top level no items seen
image

Drop down in Author login can see Admin data
image

References

@derrickmehaffy derrickmehaffy published to strapi/strapi Jun 12, 2024
Published by the National Vulnerability Database Jun 12, 2024
Published to the GitHub Advisory Database Jun 12, 2024
Reviewed Jun 12, 2024
Last updated Jun 14, 2024

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

EPSS score

0.043%
(10th percentile)

Weaknesses

CVE ID

CVE-2024-29181

GHSA ID

GHSA-6j89-frxc-q26m

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.