CVE-2023-34093

HIGH EPSS 44.3%
Published Jul 25, 20232y ago · Modified Jun 17, 20261w ago
7.1 CVSS 3.1
High
Find Similar
Published Jul 25, 2023 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the actual content types themselves. Users can use plugins or modify their own content types without realizing that the `privateAttributes` getter is being removed, which can result in any attribute becoming public. This can lead to sensitive information being exposed or the entire system being taken control of by an attacker(having access to password hashes). Anyone can be impacted, depending on how people are using/extending content-types. If the users are mutating the content-type, they will not be affected. Version 4.10.8 contains a patch for this issue.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
44.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 1

VendorProductVersionRange
strapistrapi* <4.10.8

References 3

  • github.com https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de
    Patch
  • github.com https://github.com/strapi/strapi/releases/tag/v4.10.8
    Release Notes
  • github.com https://github.com/strapi/strapi/security/advisories/GHSA-chmr-rg2f-9jmf
    Exploit

Remediation

  • github.com https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de
    Patch