CVE-2022-31367
Vulnerability Explanation
An authenticated user with permission to read "user" data in settings section can dump all available users password hash. This vulnerability caused by column name manipulation ( column name injection ) on filtering feature.
Vulnerability Type
SQL Injection
Attack Vector
An authenticated user with permission to read user data in settings section can dump all users data such as password hash by manipulating column when using filter function
Vendor of Product
Affected Version
- Strapi - v3.* . Fixed on v3.6.10
- Strapi - v4.* . Fixed on v4.1.10
Steps to Reproduce
- Login to user with permission to read "user" data in settings section.
- Click on filters and add filter using firstname and email with type of selection is contains case sensitive
- See http request and then click edit and send ( firefox ) . After that change email_containss to password_containss and fill password_contains parameter with "$" , because we know that password in strapi hashed using bcrypt.
- Check the response and we will see row of data which fulfil our filter request ( in this case password contains $ and username contains admin )
- Validate the bug by sending an invalid filter value such as "JUNK" for password.
- Final step, create script to automate password leak and validate the password found by checking on database.
Exploit Code
Tested On
- Node.js version: v12.22.7
- NPM version: 7.24.2
- Strapi version: v3.6.8
- Database: PostgreSQL
- Operating system: Debian GNU/Linux 9 (stretch)
Disclosure Timeline:
- 2021-12-09: Vulnerability discovered.
- 2022-05-11: Vulnerability fixed.
- 2022-05-11: Vulnerability reported to the MITRE corporation.
- 2022-05-23: CVE has been assigned.
- 2022-09-27: Public disclosure of the vulnerability.
Discoverer
Achmad Zaenuri Dahlan Putra (kosong)