Miggo Logo

CVE-2020-27665: Improper Authorization in Strapi

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.52237%
Published
10/29/2020
Updated
9/13/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
strapi-plugin-content-type-buildernpm< 3.2.53.2.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing admin::hasPermissions policies in CTB route configurations. The commit diff shows these handlers in routes.json lacked authorization checks before 3.2.5. Each listed function corresponds to a route handler that was vulnerable due to absent permission validation, as evidenced by the added policies in the patch. The routes.json file modification clearly demonstrates these were the unprotected entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Str*pi ***or* *.*.*, t**r* is no `**min::**sP*rmissions` r*stri*tion *or *T* (*k* *ont*nt-typ*-*uil**r) rout*s.

Reasoning

T** vuln*r**ility st*mm** *rom missin* `**min::**sP*rmissions` poli*i*s in *T* rout* *on*i*ur*tions. T** *ommit *i** s*ows t**s* **n*l*rs in `rout*s.json` l**k** *ut*oriz*tion ****ks ***or* *.*.*. **** list** `*un*tion` *orr*spon*s to * rout* **n*l*r