SCA: security update for @strapi/strapi, strapi (GHSA-vgj7-895j-gpr6)

high Tenable Self-Hosted Container Security Plugin ID 419328

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as
email and password reset tokens, for API users if content types accessible to the authenticated user
contain relationships to API users (from:users-permissions). There are many scenarios in which such
details from API users can leak in the JSON response within the admin panel, either through a direct or
indirect relationship. Access to this information enables a user to compromise these users’ accounts if
the password reset API endpoints have been enabled. In a worst-case scenario, a low-privileged user could
get access to a high-privileged API account, and could read and modify any data as well as block access to
both the admin panel and API by revoking privileges for all other users. (CVE-2022-30618)

See Also

https://github.com/advisories/GHSA-vgj7-895j-gpr6

Plugin Details

Severity: High

ID: 419328

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2022-30618

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/20/2022

Vulnerability Publication Date: 5/19/2022

Reference Information

CVE: CVE-2022-30618

cwe: CWE-212