CVE-2023-38507

Name of the Vulnerable Software and Affected Versions Strapi versions prior to 4.12.1

Description The issue concerns Strapi, an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. This increases the possibility of unauthorized login by login brute force attack. The vulnerability can be exploited by manipulating the request path, such as changing the case of the path or adding a trailing slash. For example, an attacker can use the /admin/login endpoint and then modify it to /admin/Login or /admin/login/ to bypass the rate limit.

Recommendations For versions prior to 4.12.1, update to version 4.12.1 to fix the issue. As a temporary workaround, consider modifying the rate limiting mechanism to forcibly convert the request path to upper or lower case and remove any extra slashes, as suggested in the measures section of the OSV description. This can help prevent the bypass of the rate limit.