directus@10.8.2 vulnerabilities

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure due to the error handling mechanism when integrating SSO with local authentication. An attacker can determine if a user is registered with an SSO provider by attempting to authenticate with an email that is already linked to an SSO account, which triggers a specific error message.

Upgrade directus to version 10.13.0 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to improper check when importing file from the URL and the result URL. An attacker can execute unauthorized requests to internal network resources by manipulating URL redirects during the file import operation.

Upgrade directus to version 10.9.3 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Resource Exhaustion through the /graphql endpoint. An attacker can cause the server to perform redundant computations and consume excessive resources.

Upgrade directus to version 10.12.0 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the random string generation utility. An attacker can disrupt the service by providing a non-numeric length value, which leads to a memory issue that prevents the generation of random strings, affecting session refresh capabilities.

Upgrade directus to version 10.11.2 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure through the alias functionality. An attacker can access sensitive data by manipulating the API request parameters.

Notes:

This is only exploitable if the user has permissions to view any collection using redacted hashed fields.

Steps to reproduce:

1. Set up a simple role with read-access to users.

2. Create a new user with the role from the previous step

3. Assign a password to the user

To confirm this vulnerability, visit /users/me. You should be presented with a redacted JSON-object. Next, visit /users/me?alias[hash]=password. This time, the returned JSON object will included the raw password hash instead of the redacted value.

Upgrade directus to version 10.11.0 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to URL Redirection to Untrusted Site ('Open Redirect') via the redirect parameter in the authentication API. An attacker can redirect users to an untrusted site after successful login, potentially leading to phishing attacks by presenting a malicious site that mimics an error message to deceive users into providing sensitive information.

Upgrade directus to version 10.10.0 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Information Exposure Through Sent Data via the process of reaching the /files page where a JWT is passed through a GET request. Inclusion of session tokens in URLs poses a security risk as URLs are often logged in various places such as web server logs and browser history. Attackers gaining access to these logs may hijack active user sessions, leading to unauthorized access to sensitive information or actions on behalf of the user.

Upgrade directus to version 10.10.0 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the password reset mechanism implementation combined with default database configurations in MySQL and MariaDB. This allows attackers in possession of a known good email address to redirect a password reset email intended for a victim by registering a similar email address with alternative characters that are considered equivalent to the same ones as characters in the stored email address, by the database engine. The API uses the supplied email address for sending the reset password mail instead of the email address from the database.

Upgrade directus to version 10.8.3 or higher.

directus is a Directus is a real-time API and App dashboard for managing SQL database content.

Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata in the form of the version number, which is included in compiled JS bundles that are accessible without authentication.

Upgrade directus to version 10.8.3 or higher.