high
7.6
CWE
287
Advisory Published
CVE Published
Updated

CVE-2023-39345: Unauthorized Access to Private Fields in User Registration API in strapi

First published: Fri Nov 03 2023(Updated: )

### System Details | Name | Value | |----------|------------------------| | OS | Windows 11 | | Version | 4.11.1 (node v16.14.2) | | Database | mysql | ### Description I marked some fields as private fields in user content-type, and tried to register as a new user via api, at the same time I added content to fill the private fields and sent a post request, and as you can see from the images below, I can write to the private fields. ![register](https://user-images.githubusercontent.com/32245914/246987508-9337ffd5-c681-4f51-9a0b-2490b424ca1e.png) ![user](https://user-images.githubusercontent.com/32245914/246987564-9f440b3f-a7a3-4710-9b75-0854667fc35d.png) ![private_field](https://user-images.githubusercontent.com/32245914/246987590-9c0ecefd-fd64-4221-b642-e730ea55d440.png) ![table](https://user-images.githubusercontent.com/32245914/246987604-009e6808-5690-458e-aa87-57dda7d4589d.png) To prevent this, I went to the extension area and tried to extend the register method, for this I wanted to do it using the sanitizeInput function that I know in the source codes of the strap. But the sanitizeInput function did not filter out private fields. ```js const { auth } = ctx.state; const data = ctx.request.body; const userSchema = strapi.getModel("plugin::users-permissions.user"); sanitize.contentAPI.input(data, userSchema, { auth }); ``` here's the solution I've temporarily kept to myself, code snippet ```js const body = ctx.request.body; const { attributes } = strapi.getModel("plugin::users-permissions.user"); const sanitizedData = _.omitBy(body, (data, key) => { const attribute = attributes[key]; if (_.isNil(attribute)) { return false; } //? If you want, you can throw an error for fields that we did not expect. // if (_.isNil(attribute)) // throw new ApplicationError(`Unexpected value ${key}`); // if private value is true, we do not want to send it to the database. return attribute.private; }); return sanitizedData; ```

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
npm/@strapi/strapi>=4.0.0<4.13.1
4.13.1
npm/@strapi/plugin-users-permissions>=4.0.0<4.13.1
4.13.1
Strapi Strapi>=4.0.0<4.13.1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-39345?

    The severity of CVE-2023-39345 is high with a CVSS score of 7.6.

  • How does CVE-2023-39345 affect the software?

    CVE-2023-39345 affects the @strapi/strapi and @strapi/plugin-users-permissions packages with versions ranging from 4.0.0 to 4.13.1.

  • What is the remedy for CVE-2023-39345?

    The remedy for CVE-2023-39345 is to update the affected packages to version 4.13.1.

  • Where can I find more information about CVE-2023-39345?

    You can find more information about CVE-2023-39345 in the following references: [1](https://github.com/strapi/strapi/security/advisories/GHSA-gc7p-j5xm-xxh2), [2](https://strapi.io/blog/security-disclosure-of-vulnerabilities-sept-2023), [3](https://github.com/advisories/GHSA-gc7p-j5xm-xxh2).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203