GHSA-849R-QRWJ-8RV4

Vulnerability from github – Published: 2024-12-09 20:40 – Updated: 2024-12-09 21:54
VLAI?
Summary
Directus allows unauthenticated access to WebSocket events and operations
Details

Summary

When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.

Details

Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of createDefaultAccountability() to ensure public permissions are used for unauthenticated users.

PoC

  1. Start directus with
WEBSOCKETS_ENABLED=true
WEBSOCKETS_GRAPHQL_AUTH=public
WEBSOCKETS_REST_AUTH=public
  1. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud)
subscription {
    directus_users_mutated {
        key
        event
        data {
            id
            email
            first_name
            last_name
            password
        }
    }
}

or

{
   "type": "items",
   "action": "read",
   "collection": "your_collection_name"
}

3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users last_page gets updated, the password fields is properly redacted here)

3b. Observe receiving all available items from the your_collection_name collection.

Impact

This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "22.2.0"
            },
            {
              "fixed": "23.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-54151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-09T20:40:54Z",
    "nvd_published_at": "2024-12-09T21:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to \"public\", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.\n\n### Details\nAccountability for unauthenticated WebSocket requests is set to null, which used to be \"public permissions\" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users.\n\n### PoC\n1. Start directus with\n```bash\nWEBSOCKETS_ENABLED=true\nWEBSOCKETS_GRAPHQL_AUTH=public\nWEBSOCKETS_REST_AUTH=public\n```\n\n2. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud)\n```gql\nsubscription {\n    directus_users_mutated {\n        key\n        event\n        data {\n            id\n            email\n            first_name\n            last_name\n            password\n        }\n    }\n}\n```\nor\n```json\n{\n   \"type\": \"items\",\n   \"action\": \"read\",\n   \"collection\": \"your_collection_name\"\n}\n```\n3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users `last_page` gets updated, the `password` fields is properly redacted here)\n\n3b. Observe receiving all available items from the `your_collection_name` collection.\n\n### Impact\n\nThis impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.\n\n",
  "id": "GHSA-849r-qrwj-8rv4",
  "modified": "2024-12-09T21:54:13Z",
  "published": "2024-12-09T20:40:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-849r-qrwj-8rv4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54151"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/ce0397d16cf767b5293cd57f626c5349b5732a21"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus allows unauthenticated access to WebSocket events and operations"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.