Session Fixation Affecting @directus/api package, versions <21.0.1 >=22.0.0 <22.2.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-DIRECTUSAPI-7926877
- published 11 Sep 2024
- disclosed 10 Sep 2024
- credit José Varela
Introduced: 10 Sep 2024
CVE-2024-45596 Open this link in a new tabHow to fix?
Upgrade @directus/api
to version 21.0.1, 22.2.0 or higher.
Overview
@directus/api is a real-time API and App dashboard for managing SQL database content
Affected versions of this package are vulnerable to Session Fixation via the respond
middleware. An attacker can access credentials of the last authenticated user that attempted to authenticate via SSO link without a redirect
query string in the URL.
PoC
-Create a new Directus project
-Set CACHE_ENABLED
to true
-Set CACHE_STORE
to redis
for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)
-Configure REDIS
with redis string or redis host, port, user, etc.
-Set AUTH_PROVIDERS
to openid
-Set PUBLIC_URL
to the the main URL of your project. For example, PUBLIC_URL: http://localhost:8055
-Configure AUTH_OPENID_CLIENT_ID
, AUTH_OPENID_CLIENT_SECRET
, AUTH_OPENID_ISSUER_URL
with proper OpenID configurations
-Be sure that on OpenID external app you have configured Redirect URI to http://localhost:8055/auth/login/openid/callback
-Run Directus
-Open the SSO link like http://localhost:8055/auth/login/openid/callback
-Do the authentication on the OpenID external webpage
-Verify that it you got redirected to a page with a JSON including access_token
property
-Be sure all anonymous mode windows are closed
-Open an anonymous window and go to the SSO Link http://localhost:8055/auth/login/openid/callback
and see you have the same credentials, even though you don't have any session because you are in anonymous mode.