CVE-2024-56143

Description

### Summary It's possible to access any private fields by filtering through the lookup parameters ### Details Using the new lookup operator provided by the document service in Strapi 5, it is not properly sanitizing this query operator for private fields. ### PoC 1. Create a strapi app. 2. Create a content-type 3. In the content-type you make a new entry 4. Go back to the list view 4. Add `&lookup[updatedBy][password][$startsWith]=$2` to the end of your url (All passwords start with $2) see that all entries are still there 6. Add `&lookup[updatedBy][password][$startsWith]=$3` see the entry disappear proving that the search above works ### Impact An attacker can perform filtering attacks on everything related to the object, including admin passwords and reset-tokens. This means that they can gain full access to the strapi instance.

How to fix CVE-2024-56143

To remediate CVE-2024-56143, upgrade the affected package to a fixed version below.

• —upgrade to 5.5.2 or later

Is CVE-2024-56143 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 5.0.0, < 5.5.2

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-56143
• PATCHgithub.com/strapi/strapi
• WEBgithub.com/strapi/strapi/commit/0c6e0953ae1e62afae9329de7ae6d6a5e21b95b8
• WEBgithub.com/strapi/strapi/security/advisories/GHSA-495j-h493-42q2