Security Disclosure of Vulnerabilities: CVE-2023-22893, CVE-2023-22621, and CVE-2023-22894

On December 29th, 2022, a security researcher reported an SSTI (server-side template injection) vulnerability in the users-permissions plugin's email template system of Strapi. This vulnerability allowed malicious code execution via RCE (remote code execution). The scope was initially believed to be limited to those with access to the Strapi Admin Panel, but it was later found that unauthenticated users could exploit this vulnerability on all Strapi <=4.5.5 servers by chaining CVE-2023-22621 and CVE-2023-22894 together. Strapi has released patches for these vulnerabilities in versions 4.5.6, 4.6.0, and 4.8.0. The Strapi security team advises users to upgrade beyond v4.8.0 as quickly as possible due to other security vulnerabilities patched in those versions. To detect if your application was impacted by these vulnerabilities, review request log files for specific IoCs (Indicators of Compromise). For CVE-2023-22621, search for a PUT request to the URL path /users-permissions/email-templates. For CVE-2023-22894, use a regex pattern to extract all ID tokens sent to /api/auth/cognito/callback and verify each token using the public key file for your AWS Cognito user pool. The Strapi security team thanks GhostCcamm for their diligent work in discovering these vulnerabilities and assisting with responsible disclosure. They encourage anyone who believes they have discovered a security vulnerability to report it responsibly by emailing [email protected].