Description
Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication.
Recommendation
Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.2.1, < 4.6.0
- Patched version(s): 4.6.0
References
Related Issues
- @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass - CVE-2024-34065
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
- Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
- Strapi Improper Rate Limiting vulnerability (GHSA-24q2-59hm-rh9r) - CVE-2023-38507
- Tags:
- npm
- @strapi/plugin-users-permissions
Anything's wrong? Let us know Last updated on April 19, 2023