CVE-2023-22893

Name of the Vulnerable Software and Affected Versions Strapi versions 3.2.1 through 4.5.5

Description The issue arises from the lack of verification of access or ID tokens issued during the OAuth flow when using the AWS Cognito login provider for authentication. This allows a remote attacker to forge an ID token signed with the 'None' type algorithm, bypassing authentication and potentially impersonating any user who uses AWS Cognito for authentication.

Recommendations For versions 3.2.1 through 4.5.5, update to a version that includes the fix for this issue to prevent authentication bypass and impersonation. As a temporary workaround, consider restricting the use of the AWS Cognito login provider until a patch is available.