logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-54151 directus

Package

Manager: npm
Name: directus
Vulnerable Version: >=11.0.0 <11.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00222 pctl0.44796

Details

Directus allows unauthenticated access to WebSocket events and operations ### Summary When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. ### Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users. ### PoC 1. Start directus with ```bash WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public ``` 2. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud) ```gql subscription { directus_users_mutated { key event data { id email first_name last_name password } } } ``` or ```json { "type": "items", "action": "read", "collection": "your_collection_name" } ``` 3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users `last_page` gets updated, the `password` fields is properly redacted here) 3b. Observe receiving all available items from the `your_collection_name` collection. ### Impact This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.

Metadata

Created: 2024-12-09T20:40:54Z
Modified: 2024-12-09T21:54:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-849r-qrwj-8rv4/GHSA-849r-qrwj-8rv4.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-849r-qrwj-8rv4
Finding: F310
Auto approve: 1