Information Exposure Affecting @strapi/utils package, versions <4.10.8


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.09% (41st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-STRAPIUTILS-5805054
  • published26 Jul 2023
  • disclosed25 Jul 2023
  • creditMarc Roig

Introduced: 25 Jul 2023

CVE-2023-34093  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade @strapi/utils to version 4.10.8 or higher.

Overview

@strapi/utils is a Shared utilities for the Strapi packages

Affected versions of this package are vulnerable to Information Exposure by developers, users, or plugins, all of who can make every attribute of a Content-Type public without knowing it. The privateAttributes getter is removed when content types are modified, which can result in any attribute becoming public.

NOTE: If a user mutates the content-type they will not be affected.

PoC

strapi.container.get('content-types').extend(contentTypeUID, (contentType) => {
  const newCT = { ... contentType, attributes: { ...contentType.attributes, newAttr: {} } };
  return newCT;
});

Copying a content-type causes the getter to be removed.

CVSS Scores

version 3.1