GMS-2023-1157: Authentication Bypass in @strapi/plugin-users-permissions

April 18, 2023

Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication.

References

github.com/advisories/GHSA-xv3q-jrmm-4fxv
github.com/strapi/strapi/commit/d0edd25ceb49d275d710bf8d59999a2c07072893
github.com/strapi/strapi/pull/15382
github.com/strapi/strapi/releases/tag/v4.6.0
github.com/strapi/strapi/security/advisories/GHSA-xv3q-jrmm-4fxv

Code Behaviors & Features

Detect and mitigate GMS-2023-1157 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →