Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1tNXEzLTh3Z2YteDh4Zs4AAyAB

Directus vulnerable to extraction of password hashes through export querying

Impact

Users with read access to the password field in directus_users can extract the argon2 password hashes by brute forcing the export functionality combined with a _starts_with filter. This allows the user to enumerate the password hashes.

Patches

The problem has been patched by preventing any hashed/concealed field to be filtered against with the _starts_with or other string operator.

Workarounds

Ensuring that no user has read access to the password field in directus_users is sufficient to prevent this vulnerability.

For more information

If you have any questions or comments about this advisory:

• Open a Discussion in directus/directus
• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-m5q3-8wgf-x8xf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tNXEzLTh3Z2YteDh4Zs4AAyAB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-m5q3-8wgf-x8xf, CVE-2023-27481
References:

• https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf
• https://nvd.nist.gov/vuln/detail/CVE-2023-27481
• https://github.com/directus/directus/pull/14829
• https://github.com/directus/directus/pull/15010
• https://github.com/advisories/GHSA-m5q3-8wgf-x8xf

Repository: https://github.com/directus/directus
Blast Radius: 13.4

Affected Packages