CVE-2024-45596 (GCVE-0-2024-45596)
Vulnerability from cvelistv5 – Published: 2024-09-10 18:43 – Updated: 2024-09-10 19:20
VLAI?
Title
Directus's session is cached for OpenID and OAuth2 if `redirect` is not used
Summary
Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.
Severity ?
7.4 (High)
CWE
- CWE-524 - Use of Cache Containing Sensitive Information
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T19:20:20.595959Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T19:20:32.884Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003c 10.13.3"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.1.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-524",
"description": "CWE-524: Use of Cache Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T18:43:33.413Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8"
},
{
"name": "https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b"
},
{
"name": "https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52"
}
],
"source": {
"advisory": "GHSA-cff8-x7jv-4fm8",
"discovery": "UNKNOWN"
},
"title": "Directus\u0027s session is cached for OpenID and OAuth2 if `redirect` is not used"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45596",
"datePublished": "2024-09-10T18:43:33.413Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-09-10T19:20:32.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.\"}, {\"lang\": \"es\", \"value\": \"Directus es una API en tiempo real y un panel de control de aplicaciones para administrar el contenido de bases de datos SQL. Un usuario no autenticado puede acceder a las credenciales del \\u00faltimo usuario autenticado a trav\\u00e9s de OpenID u OAuth2 donde la URL de autenticaci\\u00f3n no inclu\\u00eda una cadena de consulta de redireccionamiento. Esto sucede porque en ese endpoint, tanto para OpenID como para OAuth2, Directus usa el middleware de respuesta, que de manera predeterminada intentar\\u00e1 almacenar en cach\\u00e9 las solicitudes GET que cumplieron con algunas condiciones. Sin embargo, esas condiciones no incluyen este escenario, cuando una solicitud no autenticada devuelve las credenciales del usuario. Esta vulnerabilidad se corrigi\\u00f3 en 10.13.3 y 11.1.0.\"}]",
"id": "CVE-2024-45596",
"lastModified": "2024-09-11T16:26:11.920",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.0}]}",
"published": "2024-09-10T19:15:22.303",
"references": "[{\"url\": \"https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8\", \"source\": \"security-advisories@github.com\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-524\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-45596\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-10T19:15:22.303\",\"lastModified\":\"2025-11-17T18:42:18.550\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.\"},{\"lang\":\"es\",\"value\":\"Directus es una API en tiempo real y un panel de control de aplicaciones para administrar el contenido de bases de datos SQL. Un usuario no autenticado puede acceder a las credenciales del \u00faltimo usuario autenticado a trav\u00e9s de OpenID u OAuth2 donde la URL de autenticaci\u00f3n no inclu\u00eda una cadena de consulta de redireccionamiento. Esto sucede porque en ese endpoint, tanto para OpenID como para OAuth2, Directus usa el middleware de respuesta, que de manera predeterminada intentar\u00e1 almacenar en cach\u00e9 las solicitudes GET que cumplieron con algunas condiciones. Sin embargo, esas condiciones no incluyen este escenario, cuando una solicitud no autenticada devuelve las credenciales del usuario. Esta vulnerabilidad se corrigi\u00f3 en 10.13.3 y 11.1.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-524\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"10.13.3\",\"matchCriteriaId\":\"B761A4B2-2A24-4667-B697-60805666E109\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.1.0\",\"matchCriteriaId\":\"0249F0A8-ED9D-4C66-8EC1-B12210B5343B\"}]}]}],\"references\":[{\"url\":\"https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-45596\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T19:20:20.595959Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-10T19:20:28.230Z\"}}], \"cna\": {\"title\": \"Directus\u0027s session is cached for OpenID and OAuth2 if `redirect` is not used\", \"source\": {\"advisory\": \"GHSA-cff8-x7jv-4fm8\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"directus\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.13.3\"}, {\"status\": \"affected\", \"version\": \"\u003e= 11.0.0, \u003c 11.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b\", \"name\": \"https://github.com/directus/directus/commit/4aace0bbe57232e38cd6a287ee475293e46dc91b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52\", \"name\": \"https://github.com/directus/directus/commit/769fa22797bff5a9231599883b391e013f122e52\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId and Oauth2 Directus is using the respond middleware, which by default will try to cache GET requests that met some conditions. Although, those conditions do not include this scenario, when an unauthenticated request returns user credentials. This vulnerability is fixed in 10.13.3 and 11.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-524\", \"description\": \"CWE-524: Use of Cache Containing Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-10T18:43:33.413Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-45596\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-10T19:20:32.884Z\", \"dateReserved\": \"2024-09-02T16:00:02.423Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-10T18:43:33.413Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…