Miggo Logo

CVE-2022-30618: Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.53883%
Published
5/20/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
strapinpm>= 3.0.0, < 3.6.93.6.9
@strapi/strapinpm< 4.1.94.1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization of sensitive fields in related user entities. Strapi's sanitizeEntity function is the primary mechanism for field filtering, and its failure to handle nested relationships from users-permissions plugin indicates a flaw in this function. Additionally, the User model's serialization method (toJSON) would be responsible for controlling field exposure during data serialization. The combination of these two functions not properly handling relationship-based data inclusion matches the described vulnerability pattern of sensitive data leakage through indirect relationships in JSON responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut**nti**t** us*r wit* ****ss to t** Str*pi **min p*n*l **n vi*w priv*t* *n* s*nsitiv* **t*, su** *s *m*il *n* p*sswor* r*s*t tok*ns, *or *PI us*rs i* *ont*nt typ*s ****ssi*l* to t** *ut**nti**t** us*r *ont*in r*l*tions*ips to *PI us*rs (*rom:us*

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* s*nsitiv* *i*l*s in r*l*t** us*r *ntiti*s. Str*pi's `s*nitiz**ntity` *un*tion is t** prim*ry m****nism *or *i*l* *ilt*rin*, *n* its **ilur* to **n*l* n*st** r*l*tions*ips *rom `us*rs-p*rmissions`