Question regarding security issue (4.5.6)

lolafkok · January 17, 2023, 9:53am

I am running multiple (most of them “low-budget”) customer projects that use the latest v3 version of strapi. Most of them are not willed to pay for updating to strapi v4 or simply are out-of-budget for that.

I want to prepare for the worst-case - when the details to the “security issue” explained in v4.5.6 GitHub - strapi/strapi at v4.5.6 are released - and maybe have some “temporary quickfix” to hand.

Please note that this security vulnerability can only be exploited if the malicious actor currently has access to your admin panel.

So my question is: What is the meaning of “has access to your admin panel”?
Is the malicious actor only required to have access to the login-screen of the admin-panel? (access /admin from the internet?)
Or does that mean the malicious actor needs to have an strapi-admin-user-account (with whatever role associated)?

Maybe @Boegie19 or @dmarkbreiter can bring some light into this?

Thanks in advance,
Olaf

Boegie19 · January 17, 2023, 10:03am

@DMehaffy I think it is best if you answer this question since you know all the details

Derrick took some vacation days so I have no clue when he will respond but he is the only one who can give you accurate answers on this to my knowledge.

DMehaffy · January 17, 2023, 6:39pm

Good question, no they need to have a valid login and be able to access a certain settings page within the admin. I can’t release too much information at this time (we are preparing a proper and full explanation disclosure blog post).

The person who reported the vulnerability wrote a long and detailed blog post as well that dives into the specifics that will come out as the same time as ours.

While we (Strapi) will not be releasing a patch for v3 since it’s EOL, a manual patch could be created to be used with patch-package if needed by you. We will be providing instructions on how to construct these patches.

lolafkok · January 18, 2023, 6:31am

Thanks for clarifying!

Regarding the vulnerability: To me (and I guess many other v3 usecases that use strapi mostly as API with a login provided to a few administrators only) this is really good news!

But to be future prove (and for the time an update is no option) Yes such patch-package instructions would be greatly appreciated.