Authorization Bypass Through User-Controlled Key Affecting @strapi/plugin-content-manager package, versions <4.19.1
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-STRAPIPLUGINCONTENTMANAGER-7251657
- published13 Jun 2024
- disclosed12 Jun 2024
- creditFelix Ortiz
Introduced: 12 Jun 2024
CVE-2024-29181 (opens in a new tab)How to fix?
Upgrade @strapi/plugin-content-manager to version 4.19.1 or higher.
Overview
@strapi/plugin-content-manager is an A powerful UI to easily manage your data.
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key due to improper access control mechanisms in the Admin Panel. An attacker can view unauthorized data by exploiting the relations between collections.
PoC
Sign in as Admin. Navigate to content creation.
Select a collection and verify you have items you created there. And that they have associations to other protected collections.
Verify role permissions for your collections are set to CRUD if user created.
Log out and sign in as a unrelated Author.
Navigate to content management and verify you see collections built by admin but empty for you (as expected)
Create a new item as an Author and see the card appear with attributes to fill out.
Use the form pull down for the associations.
Notice that protected collection items from Admin appear in drop down. These should be hidden