Miggo Logo
Miggo Vulnerability Database
CVE-2022-31367

CVE-2022-31367: Strapi mishandles hidden attributes within admin API responses

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-31367
GHSA ID
GHSA-4phg-hpqm-c3j4
EPSS Score
0.39522%
CWE
CWE-89
Published
9/28/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
strapinpm< 3.6.103.6.10
@strapi/strapinpm>= 4.0.0-next.0, < 4.1.104.1.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper sanitization in admin API response handlers. Both versions failed to properly exclude hidden attributes marked in content-type configurations. The v3 sanitizeEntity function and v4 permissions-manager sanitize function were both patched in the referenced PRs (#13189 and #13185) to implement attribute filtering. The exploit demonstrates attackers could manipulate filter parameters (e.g., changing 'email_containss' to 'password_containss') to bypass intended data restrictions. The SQL Injection CWE mapping likely refers to column name injection rather than traditional SQLi, as attackers manipulated attribute names in filter operations to access hidden fields.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Str*pi ***or* *.*.** *n* *.x ***or* *.*.** mis**n*l*s *i***n *ttri*ut*s wit*in **min *PI r*spons*s.

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nitiz*tion in **min *PI r*spons* **n*l*rs. *ot* v*rsions **il** to prop*rly *x*lu** *i***n *ttri*ut*s m*rk** in *ont*nt-typ* *on*i*ur*tions. T** v* s*nitiz**ntity *un*tion *n* v* p*rmissions-m*n***r s*nitiz* *u