CVE-2022-31367: Strapi mishandles hidden attributes within admin API responses

September 28, 2022 (updated September 30, 2022)

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.

References

github.com/advisories/GHSA-4phg-hpqm-c3j4
github.com/kos0ng/CVEs/tree/main/CVE-2022-31367
github.com/strapi/strapi/pull/13185
github.com/strapi/strapi/pull/13189
github.com/strapi/strapi/releases/tag/v3.6.10
github.com/strapi/strapi/releases/tag/v4.1.10
nvd.nist.gov/vuln/detail/CVE-2022-31367

Code Behaviors & Features

Detect and mitigate CVE-2022-31367 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →