Name of the Vulnerable Software and Affected Versions Strapi versions 4.5.6 and earlier

Description The issue concerns the verification of access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token signed using the 'None' type algorithm to bypass authentication and impersonate any user using AWS Cognito for authentication. To detect suspicious activity, reviewing application logs is recommended, particularly by extracting ID tokens sent to "/api/auth/cognito/callback" and verifying them using the public key file for the AWS Cognito user pool. If any JWT tokens cannot be verified, inspecting the JWT body for specific claims like email and cognito:username is necessary.

Recommendations For Strapi versions 4.5.6 and earlier, upgrade to Strapi v4.6.0 or greater and reconfigure the AWS Cognito provider to include the JWKS URL to prevent authentication bypass and ensure proper functionality. After upgrading, if you encounter an error message during login due to not reconfiguring your provider, reconfigure your AWS Cognito provider settings accordingly.