CVE-2024-56143

描述

### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. ### PoC 1. Create a strapi app. 2. Create a content-type 3. In the content-type you make a new entry 4. Go back to the list view 4. Add `&lookup[updatedBy][password][$startsWith]=$2` to the end of your url (All passwords start with $2) see that all entries are still there 6. Add `&lookup[updatedBy][password][$startsWith]=$3` see the entry disappear proving that the search above works ### Impact An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.

受影響套件(1)

• npm/@strapi/core>= 5.0.0, < 5.5.2

CVSS 分數

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-56143
• PATCHhttps://github.com/strapi/strapi
• WEBhttps://github.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8
• WEBhttps://github.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2