Strix
26.1K

CVE-2023-34093

HIGHCVSS 7.1/10EPSS 0.60%

Last modified

CVE-2023-34093 is a high-severity vulnerability rated 7.1/10 on the CVSS scale. Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. EPSS estimates a 0.60% chance of exploitation in the next 30 days.

Description

Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the actual content types themselves. Users can use plugins or modify their own content types without realizing that the `privateAttributes` getter is being removed, which can result in any attribute becoming public. This can lead to sensitive information being exposed or the entire system being taken control of by an attacker(having access to password hashes). Anyone can be impacted, depending on how people are using/extending content-types. If the users are mutating the content-type, they will not be affected. Version 4.10.8 contains a patch for this issue.

Metrics

CVSS 3.1
7.1/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

EPSS Probability
0.60%

44.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
StrapiStrapi< 4.10.8

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2023-34093?
Strapi is an open-source headless content management system. Prior to version 4.10.8, anyone (Strapi developers, users, plugins) can make every attribute of a Content-Type public without knowing it. The vulnerability only affects the handling of content types by Strapi, not the actual content types themselves. Users can use plugins or modify their own content types without realizing that the `privateAttributes` getter is being removed, which can result in any attribute becoming public. This can lead to sensitive information being exposed or the entire system being taken control of by an attacker(having access to password hashes). Anyone can be impacted, depending on how people are using/extending content-types. If the users are mutating the content-type, they will not be affected. Version 4.10.8 contains a patch for this issue.
How severe is CVE-2023-34093?
CVE-2023-34093 has a CVSS score of 7.1/10 (HIGH severity). The EPSS model estimates a 0.60% probability of exploitation in the next 30 days.
How do I fix CVE-2023-34093?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-34093?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST