Information Exposure Affecting @strapi/database package, versions <4.10.8


0.0
medium

Snyk CVSS

    Attack Complexity High
    Privileges Required High
    User Interaction Required
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.06% (22nd percentile)
Expand this section
NVD
7.1 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-STRAPIDATABASE-5805053
  • published 26 Jul 2023
  • disclosed 25 Jul 2023
  • credit Marc Roig

How to fix?

Upgrade @strapi/database to version 4.10.8 or higher.

Overview

@strapi/database is a Strapi's database layer

Affected versions of this package are vulnerable to Information Exposure by developers, users, or plugins, all of who can make every attribute of a Content-Type public without knowing it. The privateAttributes getter is removed when content types are modified, which can result in any attribute becoming public.

NOTE: If a user mutates the content-type they will not be affected.

PoC

strapi.container.get('content-types').extend(contentTypeUID, (contentType) => {
  const newCT = { ... contentType, attributes: { ...contentType.attributes, newAttr: {} } };
  return newCT;
});

Copying a content-type causes the getter to be removed.