Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nMjdqLTc0ZnAteGZwcs04jw

Insecure default value for CORS configuration

Impact

The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.

Patches

The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0

Workarounds

Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-g27j-74fp-xfpr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nMjdqLTc0ZnAteGZwcs04jw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago


CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-g27j-74fp-xfpr, CVE-2022-26969
References: Repository: https://github.com/directus/directus

Affected Packages

npm:directus
Dependent packages: 16
Dependent repositories: 115
Downloads: 79,132 last month
Affected Version Ranges: < 9.7.0
Fixed in: 9.7.0
All affected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0
All unaffected versions: 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4