CVE-2021-28128 in Strapi
Summary
by MITRE • 05/07/2021
In Strapi through 3.6.0, the admin panel allows the changing of one's own password without entering the current password. An attacker who gains access to a valid session can use this to take over an account by changing the password.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 09/24/2021
The vulnerability identified as CVE-2021-28128 affects Strapi versions through 3.6.0 and represents a critical authentication flaw that undermines the security of user account management within the admin panel. This weakness stems from insufficient validation of password change requests, specifically failing to require the current password as a prerequisite for setting a new one. The vulnerability exists within the application's authentication flow where users can modify their own credentials without proper verification of their existing password, creating a significant vector for unauthorized access and account takeover.
The technical implementation of this flaw allows any authenticated user to change their password without providing the current password, which violates fundamental security principles of credential management. This vulnerability specifically impacts the admin panel functionality where users maintain session-based access to administrative features. The flaw enables attackers who have obtained valid session tokens to execute unauthorized password changes against accounts they have compromised, effectively taking complete control of those user accounts without requiring additional authentication factors or privileged access.
From an operational perspective, this vulnerability creates a severe risk for organizations relying on Strapi for content management and administrative operations. The impact extends beyond simple credential theft as it allows for persistent access to administrative functions, enabling attackers to modify content, alter user permissions, and potentially escalate their privileges within the system. The vulnerability aligns with CWE-305 Authentication Bypass and represents a direct violation of the principle of least privilege. Attackers can leverage this weakness to establish long-term access to systems, potentially leading to data breaches, content manipulation, and further lateral movement within compromised networks.
The security implications of this vulnerability are particularly concerning given that it operates within the admin panel where sensitive operations occur. The lack of current password verification creates an opportunity for attackers to maintain access even after initial compromise, as they can reset passwords to prevent legitimate users from regaining control of their accounts. This behavior corresponds to techniques described in the MITRE ATT&CK framework under credential access and privilege escalation tactics. Organizations using Strapi versions prior to 3.6.1 should implement immediate mitigations including updating to the patched version, implementing additional authentication controls, and monitoring for unauthorized password change activities. The vulnerability demonstrates the critical importance of proper authentication flow design and the necessity of implementing multi-factor authentication and session management controls to prevent such account takeover scenarios.