CVE-2021-46440
Strapi 3.6.8 Password Disclosure / Insecure Handling
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.
El almacenamiento de contraseñas en un formato recuperable en el componente del plugin DOCUMENTATION de Strapi versiones anteriores a 3.6.9 y versiones 4.x anteriores a 4.1.5 permite a un atacante acceder a la petición HTTP de una víctima, obtener la cookie de la víctima, llevar a cabo una decodificación base64 en la cookie de la víctima y obtener una contraseña en texto sin cifrar, conllevando a una obtención de la documentación de la API para posteriores ataques a la misma
Strap versions prior to 3.6.9 and 4.1.5 disclose a user's password due to simply base64 encoding it and sticking it in a cookie.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-01-24 CVE Reserved
- 2022-05-02 CVE Published
- 2024-06-12 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://hub.docker.com/r/strapi/strapi | Product |
| URL | Date | SRC |
|---|---|---|
| http://packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.html | 2024-08-04 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/strapi/strapi/pull/12246 | 2022-07-12 |
| URL | Date | SRC |
|---|---|---|
| https://strapi.io | 2022-07-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Strapi Search vendor "Strapi" | Strapi Search vendor "Strapi" for product "Strapi" | < 3.6.9 Search vendor "Strapi" for product "Strapi" and version " < 3.6.9" | - |
Affected
| ||||||
| Strapi Search vendor "Strapi" | Strapi Search vendor "Strapi" for product "Strapi" | >= 4.0.0 < 4.1.5 Search vendor "Strapi" for product "Strapi" and version " >= 4.0.0 < 4.1.5" | - |
Affected
| ||||||