CVE-2024-29181: @strapi/plugin-content-manager leaks data via relations via the Admin Panel

June 12, 2024

If a super admin creates a collection where an item in the collection has an association to another collection, a user with the Author Role can see the list of associated items they did not create. They should only see their own items that they created, not all items ever created.

References

github.com/advisories/GHSA-6j89-frxc-q26m
github.com/strapi/strapi
github.com/strapi/strapi/commit/e1dfd4d9f1cab25cf6da3614c1975e4e508e01c6
github.com/strapi/strapi/security/advisories/GHSA-6j89-frxc-q26m
nvd.nist.gov/vuln/detail/CVE-2024-29181

Code Behaviors & Features

Detect and mitigate CVE-2024-29181 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →