High severityNVD Advisory· Published May 3, 2022· Updated Aug 4, 2024
CVE-2021-46440
CVE-2021-46440
Description
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim's HTTP request, get the victim's cookie, perform a base64 decode on the victim's cookie, and obtain a cleartext password, leading to getting API documentation for further API attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
strapinpm | < 3.6.9 | 3.6.9 |
@strapi/strapinpm | >= 4.0.0, < 4.1.5 | 4.1.5 |
Affected products
3- Strapi/DOCUMENTATION plugindescription
- ghsa-coords2 versions
>= 4.0.0, < 4.1.5+ 1 more
- (no CPE)range: >= 4.0.0, < 4.1.5
- (no CPE)range: < 3.6.9
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-85vg-grr5-pw42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-46440ghsaADVISORY
- packetstormsecurity.com/files/166915/Strapi-3.6.8-Password-Disclosure-Insecure-Handling.htmlghsax_refsource_MISCWEB
- github.com/strapi/strapi/pull/12246ghsax_refsource_MISCWEB
- hub.docker.com/r/strapi/strapighsax_refsource_MISCWEB
- strapi.ioghsaWEB
- strapi.iomitrex_refsource_MISC
News mentions
0No linked articles in our index yet.