CVE-2023-22893: 
JavaScript vulnerability analysis and mitigation

Strapi through 4.5.5 contains an authentication bypass vulnerability (CVE-2023-22893) that affects the AWS Cognito login provider. The vulnerability allows a remote attacker to forge an ID token signed using the 'None' type algorithm to bypass authentication and impersonate any user that uses AWS Cognito for authentication. The vulnerability was discovered in December 2022 and patched in version 4.6.0 (NVD, Strapi Blog).

The vulnerability exists in the AWS Cognito login provider code where the OAuth token verification was missing. The code only decoded the JWT token without verifying its authenticity, allowing attackers to forge tokens. The CVSS v3.1 base score is 7.5 HIGH with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability affects all Strapi versions from 3.2.1 to 4.5.5 (Strapi Blog).

An attacker could exploit this vulnerability to bypass authentication and impersonate any user that uses AWS Cognito for authentication. This could lead to unauthorized access to user accounts and sensitive data. The vulnerability only impacts Strapi API user authentication and cannot be exploited to gain access to the admin panel (GhostCcamm Blog).

Organizations should immediately update to Strapi version 4.6.0 or later which includes the patch for this vulnerability. For Strapi 3.x.x users, they must upgrade to a patched 4.x.x version as version 3 reached end-of-life support on December 31st, 2022. After upgrading, users need to reconfigure their AWS Cognito provider to include the JWKS URL for proper token verification (Strapi Blog).