CVE-2023-37263 - Strapi Headless CMS: Unauthorized Field Access in Relationship Titles Prior to v4.12.1

Strapi, a popular open-source headless content management system (CMS), is affected by a security vulnerability described under CVE-2023-37263. This vulnerability concerns the field level permissions in relationship titles, potentially leading to unauthorized access and viewing of restricted fields. Affected versions include Strapi v4.. to v4.12., and it has been fixed in version 4.12.1.

Main article:

Strapi is widely used as a headless CMS, allowing developers to create powerful custom back-end APIs suited for their front-end needs. Among its numerous features, Strapi includes a robust system for managing access control and permissions for different fields within the CMS.

However, researchers identified that prior to the release of Strapi v4.12.1, the field level permissions were not fully respected in the relationship titles. Fields that were supposed to remain hidden from certain users could still be viewed if they appeared in a relationship title.

This vulnerability is referenced under Common Vulnerabilities and Exposures (CVE) as CVE-2023-37263.

Vulnerability Details

The main issue consists of Strapi not enforcing field level permissions correctly when displaying a relationship field. If an actor (user) has permission to access the relationship title but doesn't have access to view a restricted field within that relationship, they would still be able to see that field.

Example

Let's consider a basic Strapi model with two content types: Author and Book. There is a many-to-one relationship between Book and Author. There are three fields in the Author content type: id, name, and email. Users with limited permissions are not supposed to see the email addresses of authors.

If the relationship title for Book was set to show the Author's name and email, users who have permission to view the Book with the relationship would be shown the Author's email addresses, even though they do not have permission to view this information.

The following code snippet demonstrates the issue

// models/book.js
module.exports = {
  attributes: {
    title: {
      type: 'string',
      required: true,
    },
    author: {
      model: 'author',
      columnName: 'author_id',
      required: true,
    },
  },
};

// models/author.js
module.exports = {
  attributes: {
    id: {
      type: 'number',
      columnName: 'author_id',
    },
    name: {
      type: 'string',
      required: true,
    },
    email: {
      type: 'string',
      required: true,
    },
  },
};

// User without email permission should still be able to see the email in the relationship title
/*
GET /books HTTP/1.1
Host: example.com
...

HTTP/1.1 200 OK
...
[
  {
    "title": "Sample Book",
    "author": {
      "id": 1,
      "name": "John Doe",
      // Visible despite restricted field level permission
      "email": "john.doe@example.com",
    },
  },
  ...
]
*/

Mitigation and Remediation

The Strapi team was notified of this vulnerability, and they released version 4.12.1 which addresses this issue. As a Strapi user, it is highly recommended to upgrade your Strapi installation to v4.12.1 or later.

Using the latest version of Strapi will ensure that your CMS remains secure against the unauthorized access of restricted fields within relationship titles, improving the overall security and privacy for your users and their data.

References

1. Strapi v4.12.1 Release Notes
2. Strapi: Updating to the Latest Version
3. CVE-2023-37263 - MITRE

Timeline

Published on: 09/15/2023 19:15:08 UTC
Last modified on: 09/20/2023 15:38:23 UTC