CVE-2023-38507

Опубликовано: 15 сент. 2023

Источник: nvd

CVSS3: 7.3

CVSS3: 9.8

EPSS Низкий

Описание

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. Therefore, the possibility of unauthorized login by login brute force attack increases. Version 4.12.1 has a fix for this issue.

Ссылки

https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31
Issue Tracking
https://github.com/strapi/strapi/releases/tag/v4.12.1
Release Notes
https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r
Exploit
Third Party Advisory
https://github.com/strapi/strapi/blob/32d68f1f5677ed9a9a505b718c182c0a3f885426/packages/core/admin/server/middlewares/rateLimit.js#L31
Issue Tracking
https://github.com/strapi/strapi/releases/tag/v4.12.1
Release Notes
https://github.com/strapi/strapi/security/advisories/GHSA-24q2-59hm-rh9r
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:strapi:strapi:*:*:*:*:*:*:*:*

Версия до 4.12.1 (исключая)

EPSS

Процентиль: 49%

0.00255

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-770

Связанные уязвимости

GHSA-24q2-59hm-rh9r

CVSS3: 7.3

github

почти 2 года назад

Strapi Improper Rate Limiting vulnerability

EPSS

Процентиль: 49%

0.00255

Низкий

7.3 High

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-770