CVE-2024-29181

June 12, 2024, 3:15 p.m.

2.3
Low

Description

Strapi is an open-source content management system. Prior to version 4.19.1, a super admin can create a collection where an item in the collection has an association to another collection. When this happens, another user with Author Role can see the list of associated items they did not create. They should see nothing but their own items they created not all items ever created. Users should upgrade @strapi/plugin-content-manager to version 4.19.1 to receive a patch.

Product(s) Impacted

Product Versions
Strapi
  • before 4.19.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
https://github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m

Tags

security-advisories@github.com
CWE-639
2024-06-12
CVE-2024-29181

CVSS Score

2.3 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: June 12, 2024, 3:15 p.m.
Last Modified: June 12, 2024, 3:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.