Session Fixation Affecting @directus/api package, versions <21.0.1>=22.0.0 <22.2.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-DIRECTUSAPI-7926877
  • published11 Sept 2024
  • disclosed10 Sept 2024
  • creditJosé Varela

Introduced: 10 Sep 2024

CVE-2024-45596  (opens in a new tab)
CWE-384  (opens in a new tab)

How to fix?

Upgrade @directus/api to version 21.0.1, 22.2.0 or higher.

Overview

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Session Fixation via the respond middleware. An attacker can access credentials of the last authenticated user that attempted to authenticate via SSO link without a redirect query string in the URL.

PoC

-Create a new Directus project

-Set CACHE_ENABLED to true

-Set CACHE_STORE to redis for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)

-Configure REDIS with redis string or redis host, port, user, etc.

-Set AUTH_PROVIDERS to openid

-Set PUBLIC_URL to the the main URL of your project. For example, PUBLIC_URL: http://localhost:8055

-Configure AUTH_OPENID_CLIENT_ID, AUTH_OPENID_CLIENT_SECRET, AUTH_OPENID_ISSUER_URL with proper OpenID configurations

-Be sure that on OpenID external app you have configured Redirect URI to http://localhost:8055/auth/login/openid/callback

-Run Directus

-Open the SSO link like http://localhost:8055/auth/login/openid/callback

-Do the authentication on the OpenID external webpage

-Verify that it you got redirected to a page with a JSON including access_token property

-Be sure all anonymous mode windows are closed

-Open an anonymous window and go to the SSO Link http://localhost:8055/auth/login/openid/callback and see you have the same credentials, even though you don't have any session because you are in anonymous mode.

CVSS Scores

version 4.0
version 3.1