Описание
Bypass of field access control in strapi-plugin-protected-populate
Impact
Users are able to bypass the field level security. This means fields that they where not allowed to populate could be populated anyway even in the event that they tried to populate something that they don't have access to.
Patches
This issue has been patched in 1.3.4
Workarounds
None
Ссылки
- https://github.com/strapi-community/strapi-plugin-protected-populate/security/advisories/GHSA-6h67-934r-82g7
- https://nvd.nist.gov/vuln/detail/CVE-2023-48218
- https://github.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39
- https://github.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4
Пакеты
Наименование
strapi-plugin-protected-populate
npm
Затронутые версииВерсия исправления
< 1.3.4
1.3.4
Связанные уязвимости
CVSS3: 5.3
nvd
около 2 лет назад
The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn't have access to could populate those fields anyway. This issue has been patched in version 1.3.4. There are no known workarounds.