Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZ2Y0LXZ3YzMtcjQ2ds4AA9oh
Directus Allows Single Sign-On User Enumeration
Impact
When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider.
Reproduction
- Create a user using a SSO provider
[email protected]. - Try to log-in using the regular login form (or the API)
- When using a valid email address
| APP | API |
|---|---|
- When using an invalid email address
| APP | API |
|---|---|
- Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user.
Workarounds
When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable AUTH_DISABLE_DEFAULT="true"
References
Implemented as feature in https://github.com/directus/directus/pull/13184
https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZ2Y0LXZ3YzMtcjQ2ds4AA9oh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 5 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00046
EPSS Percentile: 0.18926
Identifiers: GHSA-jgf4-vwc3-r46v, CVE-2024-39896
References:
- https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v
- https://nvd.nist.gov/vuln/detail/CVE-2024-39896
- https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2
- https://github.com/advisories/GHSA-jgf4-vwc3-r46v
Blast Radius: 15.5
Affected Packages
npm:directus
Dependent packages: 16Dependent repositories: 115
Downloads: 29,409 last month
Affected Version Ranges: >= 9.11, < 10.13.0
Fixed in: 10.13.0
All affected versions: 9.11.0, 9.11.1, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.14.5, 9.15.0, 9.15.1, 9.16.0, 9.16.1, 9.17.0, 9.17.1, 9.17.2, 9.17.3, 9.17.4, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.20.3, 9.20.4, 9.21.0, 9.21.2, 9.22.0, 9.22.1, 9.22.3, 9.22.4, 9.23.1, 9.23.3, 9.23.4, 9.24.0, 9.25.0, 9.25.1, 9.25.2, 9.26.0, 10.0.0, 10.1.0, 10.1.1, 10.2.0, 10.2.1, 10.3.0, 10.3.1, 10.4.1, 10.4.2, 10.4.3, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.7.0, 10.7.1, 10.7.2, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.9.0, 10.9.1, 10.9.2, 10.9.3, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.10.6, 10.10.7, 10.11.0, 10.11.1, 10.11.2, 10.12.0, 10.12.1
All unaffected versions: 9.0.0, 9.0.1, 9.1.0, 9.1.1, 9.1.2, 9.2.0, 9.2.1, 9.2.2, 9.3.0, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.5.2, 9.6.0, 9.7.0, 9.7.1, 9.8.0, 9.9.0, 9.9.1, 9.10.0, 10.13.0, 10.13.1, 10.13.2, 10.13.4, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.1.2, 11.2.0, 11.2.1, 11.2.2, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5