CVE-2024-39896 – directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=9.11 <10.13.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0051 pctl0.65526

Details

Directus Allows Single Sign-On User Enumeration ### Impact When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. ### Reproduction 1. Create a user using a SSO provider `test@directus.io`. 2. Try to log-in using the regular login form (or the API) 3. When using a valid email address | **APP** | **API** | | --- | --- | |  |  | 4. When using an invalid email address | **APP** | **API** | | --- | --- | |  |  | 5. Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user. ### Workarounds When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable `AUTH_DISABLE_DEFAULT="true"` ### References Implemented as feature in https://github.com/directus/directus/pull/13184 https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

Metadata

Created: 2024-07-08T18:41:57Z
Modified: 2024-07-08T18:41:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-jgf4-vwc3-r46v/GHSA-jgf4-vwc3-r46v.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-jgf4-vwc3-r46v
Finding: F310
Auto approve: 1