7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30618

GHSA ID

GHSA-vgj7-895j-gpr6

EPSS Score

0.53883%

CWE

CWE-212

Published

5/20/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-30618

CVE-2022-30618:
Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for API users if content types accessible to the authenticated user contain relationships to API users (from:users-permissions). There are many scenarios in which such details from API users can leak in the JSON response within the admin panel, either through a direct or indirect relationship. Access to this information enables a user to compromise these users’ accounts if the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could get access to a high-privileged API account, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30618

GHSA ID

GHSA-vgj7-895j-gpr6

EPSS Score

0.53883%

CWE

CWE-212

Published

5/20/2022

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
strapi	npm	>= 3.0.0, < 3.6.9	3.6.9
@strapi/strapi	npm	< 4.1.9	4.1.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper sanitization of sensitive fields in related user entities. Strapi's sanitizeEntity function is the primary mechanism for field filtering, and its failure to handle nested relationships from users-permissions plugin indicates a flaw in this function. Additionally, the User model's serialization method (toJSON) would be responsible for controlling field exposure during data serialization. The combination of these two functions not properly handling relationship-based data inclusion matches the described vulnerability pattern of sensitive data leakage through indirect relationships in JSON responses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ut**nti**t** us*r wit* ****ss to t** Str*pi **min p*n*l **n vi*w priv*t* *n* s*nsitiv* **t*, su** *s *m*il *n* p*sswor* r*s*t tok*ns, *or *PI us*rs i* *ont*nt typ*s ****ssi*l* to t** *ut**nti**t** us*r *ont*in r*l*tions*ips to *PI us*rs (*rom:us*

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion o* s*nsitiv* *i*l*s in r*l*t** us*r *ntiti*s. Str*pi's `s*nitiz**ntity` *un*tion is t** prim*ry m****nism *or *i*l* *ilt*rin*, *n* its **ilur* to **n*l* n*st** r*l*tions*ips *rom `us*rs-p*rmissions`

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-30618: Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-30618:
Improper Removal of Sensitive Information Before Storage or Transfer in Strapi

Vulnerability Intelligence
Miggo AI