CVE-2023-48218

The Strapi Protected Populate Plugin protects `get` endpoints from revealing too much information. Prior to version 1.3.4, users were able to bypass the field level security. Users who tried to populate something that they didn't have access to could populate those fields anyway. This issue has been patched in version 1.3.4. There are no known workarounds.
Configurations

Configuration 1 (hide)

cpe:2.3:a:strapi:protected_populate:*:*:*:*:*:*:*:*

History

29 Nov 2023, 20:52

Type Values Removed Values Added
CPE cpe:2.3:a:strapi:protected_populate:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
First Time Strapi
Strapi protected Populate
References () https://github.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39 - () https://github.com/strapi-community/strapi-plugin-protected-populate/commit/05441066d64e09dd55937d9f089962e9ebe2fb39 - Patch
References () https://github.com/strapi-community/strapi-plugin-protected-populate/security/advisories/GHSA-6h67-934r-82g7 - () https://github.com/strapi-community/strapi-plugin-protected-populate/security/advisories/GHSA-6h67-934r-82g7 - Vendor Advisory
References () https://github.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4 - () https://github.com/strapi-community/strapi-plugin-protected-populate/releases/tag/v1.3.4 - Release Notes

20 Nov 2023, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-20 17:15

Updated : 2024-02-28 20:54


NVD link : CVE-2023-48218

Mitre link : CVE-2023-48218

CVE.ORG link : CVE-2023-48218


JSON object : View

Products Affected

strapi

  • protected_populate
CWE
CWE-863

Incorrect Authorization