Session Fixation Affecting @directus/api package, versions <21.0.1 >=22.0.0 <22.2.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-DIRECTUSAPI-7926877
  • published 11 Sep 2024
  • disclosed 10 Sep 2024
  • credit José Varela

How to fix?

Upgrade @directus/api to version 21.0.1, 22.2.0 or higher.

Overview

@directus/api is a real-time API and App dashboard for managing SQL database content

Affected versions of this package are vulnerable to Session Fixation via the respond middleware. An attacker can access credentials of the last authenticated user that attempted to authenticate via SSO link without a redirect query string in the URL.

PoC

-Create a new Directus project

-Set CACHE_ENABLED to true

-Set CACHE_STORE to redis for reliable results (if using memory with multiple nodes, it may only happen sometimes, due to cache being different for different nodes)

-Configure REDIS with redis string or redis host, port, user, etc.

-Set AUTH_PROVIDERS to openid

-Set PUBLIC_URL to the the main URL of your project. For example, PUBLIC_URL: http://localhost:8055

-Configure AUTH_OPENID_CLIENT_ID, AUTH_OPENID_CLIENT_SECRET, AUTH_OPENID_ISSUER_URL with proper OpenID configurations

-Be sure that on OpenID external app you have configured Redirect URI to http://localhost:8055/auth/login/openid/callback

-Run Directus

-Open the SSO link like http://localhost:8055/auth/login/openid/callback

-Do the authentication on the OpenID external webpage

-Verify that it you got redirected to a page with a JSON including access_token property

-Be sure all anonymous mode windows are closed

-Open an anonymous window and go to the SSO Link http://localhost:8055/auth/login/openid/callback and see you have the same credentials, even though you don't have any session because you are in anonymous mode.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
6.3 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Passive
  • Confidentiality (VC)
    None
  • Integrity (VI)
    None
  • Availability (VA)
    None
  • Confidentiality (SC)
    High
  • Integrity (SI)
    None
  • Availability (SA)
    None