cbcvebase.
CVE-2023-22893
published 2023-04-19

CVE-2023-22893: Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A…

PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.16%
89.6th percentile
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.

Affected

2 ranges
VendorProductVersion rangeFixed in
strapiplugin-users-permissions>= 3.2.1 < 4.6.04.6.0
strapistrapi>= 3.0.0 < 4.6.04.6.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/auth/cognito/callback?access_token={{to_lower(rand_text_alpha(8))}}&id_token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.{{base64(payload)}}.
path/api/auth/cognito/callback
bytes
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
  • Look for HTTP requests to /api/auth/cognito/callback containing an id_token whose JWT header decodes to {"alg":"none","typ":"JWT"} (base64: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0) — this is the forged 'None' algorithm token used to bypass authentication.
  • A successful exploit returns HTTP 200 with a JSON body containing both '"provider":' and '"confirmed":' fields, and a '.jwt' key — indicating a valid Strapi session was issued for the forged identity.
  • Monitor for Cognito OAuth callback requests where the id_token has an empty/missing signature segment (trailing dot with no value), characteristic of the 'none' algorithm JWT structure.
  • Use FOFA query app="strapi-Headless-CMS" to identify exposed Strapi instances potentially vulnerable to this authentication bypass.
  • ·The vulnerability only affects Strapi instances that have the AWS Cognito login provider explicitly configured and enabled for authentication — instances not using Cognito are not affected.
  • ·The exploit requires knowledge of (or ability to enumerate) a valid user email address registered via AWS Cognito, as the forged JWT payload must include a target email to impersonate that user.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.