Two account compromise flaws fixed in Strapi headless CMS

Users of Strapi, a popular headless content management system written entirely in JavaScript and focused on API development, should update their installations as soon as possible to fix two vulnerabilities that could lead to administrative accounts being compromised.

According to researchers with the Synopsys Cybersecurity Research Center (CyRC), the flaws allow a user with low privileges to access sensitive data that can be used to perform a password reset for a higher privileged account, such as the administrator. This means attackers need to gain access to a low-privileged account first and this can be achieved via compromised credentials, phishing or other methods.

Strapi is a headless content management system built on top of the Node.js JavaScript runtime with support for a variety of databases and frontend frameworks. A headless CMS provides the backend for creating, managing and storing content which is then exposed through an API and can be accessed using independently built frontends. These can be websites, mobile applications or even IoT devices.

Strapi is open-source and provides an easy way for companies to design APIs for a variety of use cases. While its market share is small compared to general purpose content management systems such as WordPress or Joomla, the project is popular with enterprises and lists some big organizations as users including Societe Generale, IBM, NASA, Generali, Walmart and Toyota.

Two similar data exposure flaws in the admin panel and API

The Synopsys researchers found the first vulnerability, tracked as CVE-2022-30617 in November. The flaw allows an authenticated user who has access to the Strapi admin panel to access email and password reset tokens for administrative users with whom they have a content relationship.

“For example, a low-privileged ‘Author’ role account can view these details in the JSON response for an ‘Editor’ or ‘Super Admin’ that has updated one of the author’s blog posts,” the researchers explained in their advisory. “There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship.”

With the leaked information an attacker can initiate the password reset workflow for the higher privileged user. Strapi supports role-based access control (RBAC) and single sign-on (SSO) integration with identity providers and Microsoft Active Directory.

The CVE-2022-30617 flaw is rated 8.8 (High) in the Common Vulnerabilities Scoring System (CVSS) and was patched in the Strapi v4.0.0 back in November. However, the patch was backported to Strapi v3.6.10, which was released this month.

After reviewing the initial fix for CVE-2022-30617, the Synopsys researchers found a similar vulnerability in the API permissions system that affects API users managed by the plugin users-permissions. This new vulnerability is tracked as CVE-2022-30618 and is rated 7.5 (High).

The flaw allows authenticated users with access to the Strapi admin panel to access email and password reset tokens for API users if the content they have access to also has a relationship to other API users. Exploitation requires the password reset API endpoint to be enabled.

“In a worst-case scenario, a low-privileged user gets access to a high-privileged API account and can thereby read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users,” the researchers said.

The CVE-2022-30618 flaw was reported to the Strapi maintainers in December and was fixed in versions 3.6.10 and 4.0.10, which were released on May 11.