Headline
CVE-2023-37263: Release v4.12.1 · strapi/strapi
Strapi is the an open-source headless content management system. Prior to version 4.12.1, field level permissions are not respected in the relationship title. If an actor has relationship title and the relationship shows a field they don’t have permission to see, the field will still be visible. Version 4.12.1 has a fix for this issue.
⚠️ Security Warning and Notice ⚠️
Strapi was made aware of a few vulnerabilities that were patched in this release, for now we are going to delay the detailed disclosure of the exact details on how to exploit it and how it was patched to give time for users to upgrade before we do public disclosure.
For now the delay timeline looks like we will release the detailed information in the next four (4) weeks, we expect to do public disclosure (via a blog post) on Wednesday Aug 30th, 2023.
⚙️ Chore
- [core:admin] Chore: Drop getRequestUrl from the admin app (#17439) @gu-stav
- [core:admin] Chore: Move marketplace and plugins hooks into their page contexts (#17533) @gu-stav
- [core:content-manager] Chore: Inline fetch functions and drop getRequestUrl from content-manager (#17437) @gu-stav
- [core:content-manager] Chore: Drop lodash from configure the view page (#17438) @gu-stav
- [core:content-manager] Chore: Cleanup configure the view styles (#17440) @gu-stav
- [core:strapi] Drop Node 14 support, add Node 20 (#16557) @innerdvations
- [dependencies] chore(deps): bump winston from 3.9.0 to 3.10.0 (#17268) @dependabot
- [dependencies] Update semver to remove audit warnings (#17449) @derrickmehaffy
- [dependencies] chore(deps-dev): bump the eslint group with 3 updates (#17507) @dependabot
- [dependencies] chore(deps-dev): bump core-js from 3.31.0 to 3.32.0 (#17508) @dependabot
- [docs] Fix some spelling and standardiZe regional usages (#17491) @innerdvations
- [tooling] tests(e2e): init playwright, add small test suite & cli (#14807) @alexandrebodin
💅 Enhancement
- [core:content-manager] Add case insensitive filters to content manager (#16960) @marob
- [core:content-manager] Feat: Add creator fields as filter options (#17043) @Feranchz
- [core:data-transfer] [DTS] Add detail to ws upgrade error (#17452) @innerdvations
- [core:utils] Wildcard populate performance optimizations (#16507) @Convly
- [generators:app] fix: Update env.example (#16570) @xiaotiandada
🔥 Bug fix
- [core:admin] Fix: Registration - Send null for lastname instead of empty string (#17462) @gu-stav
- [core:data-transfer] Fix data transfer relations (#17475) @christiancp100
- [core:review-workflows] fix: reorder rw permissions so they appear as CRUD (#17493) @Marc-Roig
- [core:review-workflows] fix: Content API partial update fails when not populating stage field (#17512) @Marc-Roig
- [core:upload] fixed: Media Library - Can`t delete empty folder #17263 (#17280) @noobCode-69
- [core:upload] Update media thumbnails on replace (#17455) @jhoward1994
- [core:upload] Fix: Upload assets from url (#17459) @Feranchz
- [tooling] Fix intermittently failing API tests by using consistent versions of sqlite packages (#17490) @innerdvations
📚 Update and Migration Guides
- General update guide can be found here
- Migration guides can be found here 📚
Related news
### Summary Field level permissions not being respected in relationship title. If I have a relationship title and the relationship shows a field I don't have permission to see I will still be visible. ### Details No RBAC checks on on the relationship the relation endpoint returns ### PoC #### Setup Create a fresh strapi instance Create a new content type in the newly created content type add a relation to the users-permissions user. Save. Create a users-permissions user Use your created content type and create an entry in it related to the users-permisisons user Go to settings -> Admin panel -> Roles -> Author Give the author role full permissions on the content type your created. Make sure they don't have any permission to see User Save Create a new admin account with only the author role #### CVE login on the newly created author acount. go to the content manager to the colection type you created with the relationship to users_permissions_user You now see a field you don't have...