Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-849r-qrwj-8rv4

Опубликовано: 09 дек. 2024
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Directus allows unauthenticated access to WebSocket events and operations

Summary

When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.

Details

Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of createDefaultAccountability() to ensure public permissions are used for unauthenticated users.

PoC

  1. Start directus with
WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public
  1. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud)
subscription { directus_users_mutated { key event data { id email first_name last_name password } } }

or

{ "type": "items", "action": "read", "collection": "your_collection_name" }

3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users last_page gets updated, the password fields is properly redacted here)

3b. Observe receiving all available items from the your_collection_name collection.

Impact

This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.

Ссылки

Пакеты

Наименование

directus

npm
Затронутые версииВерсия исправления

>= 11.0.0, < 11.3.0

11.3.0

Наименование

@directus/api

npm
Затронутые версииВерсия исправления

>= 22.2.0, < 23.2.0

23.2.0

EPSS

Процентиль: 59%
0.00387
Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-54151

Дефекты

CWE-200

Связанные уязвимости

nvd логотип

CVE-2024-54151

CVSS3: 7.5
nvd
около 1 года назад

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 11.0.0 and prior to version 11.3.0, when setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions. Version 11.3.0 fixes the issue.

EPSS

Процентиль: 59%
0.00387
Низкий

7.5 High

CVSS3

CVE ID

CVE-2024-54151

Дефекты

CWE-200