CVE-2023-22893
published 2023-04-19CVE-2023-22893: Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.16%
89.6th percentile
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| strapi | plugin-users-permissions | >= 3.2.1 < 4.6.0 | 4.6.0 |
| strapi | strapi | >= 3.0.0 < 4.6.0 | 4.6.0 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/auth/cognito/callback?access_token={{to_lower(rand_text_alpha(8))}}&id_token=eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.{{base64(payload)}}.↗
bytes↗
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0
- →Look for HTTP requests to /api/auth/cognito/callback containing an id_token whose JWT header decodes to {"alg":"none","typ":"JWT"} (base64: eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0) — this is the forged 'None' algorithm token used to bypass authentication. ↗
- →A successful exploit returns HTTP 200 with a JSON body containing both '"provider":' and '"confirmed":' fields, and a '.jwt' key — indicating a valid Strapi session was issued for the forged identity. ↗
- →Monitor for Cognito OAuth callback requests where the id_token has an empty/missing signature segment (trailing dot with no value), characteristic of the 'none' algorithm JWT structure. ↗
- →Use FOFA query app="strapi-Headless-CMS" to identify exposed Strapi instances potentially vulnerable to this authentication bypass. ↗
- ·The vulnerability only affects Strapi instances that have the AWS Cognito login provider explicitly configured and enabled for authentication — instances not using Cognito are not affected. ↗
- ·The exploit requires knowledge of (or ability to enumerate) a valid user email address registered via AWS Cognito, as the forged JWT payload must include a target email to impersonate that user. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Strapi does not verify the access or ID tokens issued during the OAuth flow
ghsa·2023-04-19
CVE-2023-22893 [MEDIUM] Strapi does not verify the access or ID tokens issued during the OAuth flow
Strapi does not verify the access or ID tokens issued during the OAuth flow
Strapi 3.2.1 until 4.6.0 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
OSV
Strapi does not verify the access or ID tokens issued during the OAuth flow
osv·2023-04-19
CVE-2023-22893 [MEDIUM] Strapi does not verify the access or ID tokens issued during the OAuth flow
Strapi does not verify the access or ID tokens issued during the OAuth flow
Strapi 3.2.1 until 4.6.0 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
VulnCheck
strapi strapi Improper Authentication
vulncheck·2023·CVSS 7.5
CVE-2023-22893 [HIGH] strapi strapi Improper Authentication
strapi strapi Improper Authentication
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
Affected: strapi strapi
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2023-22893
No detection rules found.
Nuclei
Strapi Versions <=4.5.6 - Authentication Bypass
nuclei·CVSS 7.5
CVE-2023-22893 [HIGH] Strapi Versions <=4.5.6 - Authentication Bypass
Strapi Versions <=4.5.6 - Authentication Bypass
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.
Template:
id: CVE-2023-22893
info:
name: Strapi Versions <=4.5.6 - Authentication Bypass
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass au
No writeups or analysis indexed.
https://github.com/strapi/strapi/releaseshttps://strapi.io/blog/security-disclosure-of-vulnerabilities-cvehttps://www.ghostccamm.com/blog/multi_strapi_vulns/https://github.com/strapi/strapi/releaseshttps://strapi.io/blog/security-disclosure-of-vulnerabilities-cvehttps://www.ghostccamm.com/blog/multi_strapi_vulns/
2023-04-19
Published
Exploited in the wild