SB2023072819 - Multiple vulnerabilities in strapi

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2023-34093)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to making all attributes on a content-type public via review workflows. A remote administrator can gain unauthorized access to sensitive information on the system.

2) Information disclosure (CVE-ID: CVE-2023-34235)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to filtering on private with prefix fields. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://github.com/strapi/strapi/commit/2fa8f30371bfd1db44c15e5747860ee5789096de
• https://github.com/strapi/strapi/security/advisories/GHSA-chmr-rg2f-9jmf
• https://github.com/strapi/strapi/releases/tag/v4.10.8
• https://github.com/strapi/strapi/security/advisories/GHSA-9xg4-3qfm-9w8f