@strapi/plugin-users-permissions@4.6.0-beta.2 vulnerabilities

Protect your API with a full-authentication process based on JWT

  • latest version

    5.6.0

  • latest non vulnerable version

  • first published

    3 years ago

  • latest version published

    12 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the @strapi/plugin-users-permissions package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Replay Attack

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Replay Attack due to sending session tokens as URL query parameters and using instead an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method. An attacker can use the SSO token and get a JWT token to be able to interact with the various API routes.

    Notes:

    This is a competition advisory for CVE-2024-34065

    How to fix Replay Attack?

    Upgrade @strapi/plugin-users-permissions to version 4.24.2 or higher.

    <4.24.2
    • M
    Open Redirect

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Open Redirect when user-controllable data is incorporated into the target of a redirection in an unsafe way. In this specific context, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.

    Notes:

    If parameter $_GET["callback"] is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning.

    The value is then stored in the cookie koa.sess:

    koa.sess=eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9

    Which once base64 decoded become {"grant":{"provider":"microsoft","dynamic":{"callback":"https://<TARGET>/users/auth/redirect"}},"_expire":1701275652123,"_maxAge":86400000}.

    The signature of the cookie is stored in cookie koa.sess.sig: koa.sess.sig=wTRmcVRrn88hWMdg84VvSD87-_0

    How to fix Open Redirect?

    Upgrade @strapi/plugin-users-permissions to version 4.24.2 or higher.

    <4.24.2
    • H
    Improper Access Control

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Improper Access Control via the "User Registration" API due to improper sanitization of custom fields. An attacker can gain unauthorized access to private fields during user registration by sending a post request with content to fill the private fields.

    How to fix Improper Access Control?

    Upgrade @strapi/plugin-users-permissions to version 4.13.1 or higher.

    >=4.0.0 <4.13.1
    • H
    Denial of Service (DoS)

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Denial of Service (DoS) such that an attacker can circumvent the rate limit on the login function of Strapi's admin screen.

    How to fix Denial of Service (DoS)?

    Upgrade @strapi/plugin-users-permissions to version 4.12.1 or higher.

    <4.12.1
    • H
    Authentication Bypass

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Authentication Bypass when using the AWS Cognito login provider's None signing algorithm during the OAuth flow.

    NOTE: After upgrading to the fixed version the AWS Cognito provider must be reconfigured to include the JWKS URL.

    How to fix Authentication Bypass?

    Upgrade @strapi/plugin-users-permissions to version 4.6.0 or higher.

    >=4.0.0-next.0 <4.6.0