Strapi Cognito provider Authentication Bypass (CVE-2023-22893)
Description
The AWS Cognito authentication provider in Strapi versions 4.5.1 and earlier fails to properly verify JWT signature tokens during the authentication process. This critical flaw allows attackers to forge authentication tokens and bypass the login mechanism entirely, gaining unauthorized access to the application without valid credentials.
Remediation
Upgrade Strapi to version 4.5.6 or later, which includes proper JWT signature verification for the AWS Cognito provider. Review the official Strapi security disclosure for complete details on affected versions. After upgrading, verify that authentication is functioning correctly and audit system logs for any suspicious authentication attempts that may have occurred prior to patching. If immediate upgrading is not possible, consider temporarily disabling the AWS Cognito authentication provider until the patch can be applied.