Cyber Resilience

CVE-2023-22894

MediumPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
07 November 2025
KEV Added
Patch
CVSS Score v3.1 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1791 95.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22894 is a medium-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Strapi Strapi. Its CVSS base score is 4.9 (Medium).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Strapi through version 4.5.5 is affected by an information disclosure vulnerability in its query filter functionality. The flaw resides in the administrative API layer and permits an authenticated user to filter user records on columns containing sensitive fields, then infer the stored values from differences in API responses. The issue is tracked as CWE-312 and carries a CVSS 3.1 score of 4.9.

An attacker who already possesses administrative panel access can exploit the filter to enumerate password hashes and password-reset tokens for every user when the account has super-admin rights. With a less privileged admin account that can view only lower-role API users, the same technique yields usernames, email addresses, and other attributes for all non-admin accounts.

Strapi’s security disclosure and subsequent release notes indicate that the flaw is resolved in later versions; administrators are advised to upgrade and to restrict administrative query capabilities to the minimum required roles.

The associated EPSS score reached a peak of 0.2096, reflecting moderate post-disclosure interest without a pronounced low-to-high trajectory.

EU & UK References

Vulnerability details

Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If…

more

the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

strapi
strapi
3.2.1 — 4.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-312

Training on secure data handling discourages cleartext storage of sensitive information.

addresses: CWE-312

Data action mapping can detect storage actions that leave sensitive information in cleartext.

addresses: CWE-312

Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.

addresses: CWE-312

Policy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.

addresses: CWE-312

Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.

addresses: CWE-312

Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media.

addresses: CWE-312

Reduces cleartext storage of sensitive data when OPSEC identifies and mandates protection of key information artifacts.

References