CVE-2023-22894
Published: 19 April 2023
Summary
CVE-2023-22894 is a medium-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Strapi Strapi. Its CVSS base score is 4.9 (Medium).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Strapi through version 4.5.5 is affected by an information disclosure vulnerability in its query filter functionality. The flaw resides in the administrative API layer and permits an authenticated user to filter user records on columns containing sensitive fields, then infer the stored values from differences in API responses. The issue is tracked as CWE-312 and carries a CVSS 3.1 score of 4.9.
An attacker who already possesses administrative panel access can exploit the filter to enumerate password hashes and password-reset tokens for every user when the account has super-admin rights. With a less privileged admin account that can view only lower-role API users, the same technique yields usernames, email addresses, and other attributes for all non-admin accounts.
Strapi’s security disclosure and subsequent release notes indicate that the flaw is resolved in later versions; administrators are advised to upgrade and to restrict administrative query capabilities to the minimum required roles.
The associated EPSS score reached a peak of 0.2096, reflecting moderate post-disclosure interest without a pronounced low-to-high trajectory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1342
Vulnerability details
Strapi through 4.5.5 allows attackers (with access to the admin panel) to discover sensitive user details by exploiting the query filter. The attacker can filter users by columns that contain sensitive information and infer a value from API responses. If…
more
the attacker has super admin access, then this can be exploited to discover the password hash and password reset token of all users. If the attacker has admin panel access to an account with permission to access the username and email of API users with a lower privileged role (e.g., Editor or Author), then this can be exploited to discover sensitive information for all API users but not other admin accounts.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Training on secure data handling discourages cleartext storage of sensitive information.
Data action mapping can detect storage actions that leave sensitive information in cleartext.
Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.
Policy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.
Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.
Requiring confidentiality protection for information at rest eliminates cleartext storage of sensitive data on persistent media.
Reduces cleartext storage of sensitive data when OPSEC identifies and mandates protection of key information artifacts.