Описание
Insecure default value for CORS configuration
Impact
The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.
Patches
The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0
Workarounds
Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.
For more information
If you have any questions or comments about this advisory:
- Open an issue in directus/directus
- Email us at security@directus.io
Ссылки
- https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr
- https://nvd.nist.gov/vuln/detail/CVE-2022-26969
- https://github.com/directus/directus/pull/12022
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
- https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md
- https://github.com/directus/directus/releases/tag/v9.7.0
- https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822
Пакеты
Наименование
directus
npm
Затронутые версииВерсия исправления
< 9.7.0
9.7.0
Связанные уязвимости
CVSS3: 9.8
nvd
около 3 лет назад
In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.