CVE-2023-34235: Strapi Private Fields Leak through Prefix Change in Knex Query

In Strapi, an open-source headless content management system (CMS), versions prior to 4.10.8 can suffer from private fields leak when using the t(number) prefix in Knex query. This vulnerability can lead to further filtering attacks on the admin account, potentially exposing sensitive user information such as passwords and reset-tokens. The issue has been addressed in Strapi version 4.10.8.

Vulnerability Details

Strapi is a popular, open-source headless CMS that allows developers to create, manage, and distribute content through RESTful APIs, GraphQL, or other platforms. However, a vulnerability has been discovered in versions prior to 4.10.8, which can lead to private field leaks.

The vulnerability lies in the way Knex query handles the t(number) prefix. By changing the default prefix, users can manipulate the query to target other tables. For example, if a user changes the prefix to another table:

// Original query: password
// After prefix change: t1.password

In this scenario, the

password

field is protected by filtering mechanisms in place. However, when using the

t1.password

notation, these protections are not applied. This allows an attacker to potentially access sensitive information related to the target object, such as admin account passwords and reset-tokens.

Exploitation

To exploit this vulnerability, an attacker can manipulate the default prefix and target specific tables that may hold sensitive information. By doing so, they can gain access to private fields that were not meant to be accessible. The attacker may then use this information to launch further attacks, including attempting to login to an admin account using a leaked password.

Mitigation

To protect yourself from this vulnerability, update Strapi to version 4.10.8 or later, which comes with a fix for the issue. Additionally, monitor your Strapi CMS instances for any suspicious activity and be sure to follow best practices for securing your Strapi instance.

References

- Strapi official website
- Strapi Github repository
- CVE-2023-34235,

Mitre

- Strapi changelog,

Conclusion

With the discovery of CVE-2023-34235, it has become clear that Strapi users should update to version 4.10.8 or later for protection against potential field leak attacks. As always, it is important to remain vigilant about your software's security and maintain regular updates to keep systems protected against new threats.

Timeline

Published on: 07/25/2023 18:15:00 UTC
Last modified on: 08/02/2023 19:02:00 UTC