CVE-2023-27481 – Extract password hashes through export querying in directus
https://notcve.org/view.php?id=CVE-2023-27481
Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. • https://github.com/directus/directus/pull/14829 https://github.com/directus/directus/pull/15010 https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2023-26492 – Directus vulnerable to Server-Side Request Forgery On File Import
https://notcve.org/view.php?id=CVE-2023-26492
Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0. • https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff https://github.com/directus/directus/releases/tag/v9.23.0 https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-26969
https://notcve.org/view.php?id=CVE-2022-26969
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true. En Directus anterior a 9.7.0, la configuración predeterminada de CORS_ORIGIN y CORS_ENABLED es verdadera. • https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md https://github.com/directus/directus/pull/12022 https://github.com/directus/directus/releases/tag/v9.7.0 https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822 •
CVE-2022-36031 – Unhandled exception on illegal filename_disk value
https://notcve.org/view.php?id=CVE-2022-36031
Directus is a free and open-source data platform for headless content management. The Directus process can be aborted by having an authorized user update the `filename_disk` value to a folder and accessing that file through the `/assets` endpoint. This vulnerability has been patched and release v9.15.0 contains the fix. Users are advised to upgrade. Users unable to upgrade may prevent this problem by making sure no (untrusted) non-admin users have permissions to update the `filename_disk` field on `directus_files`. • https://github.com/directus/directus/security/advisories/GHSA-77qm-wvqq-fg79 • CWE-755: Improper Handling of Exceptional Conditions •