GHSA-G27J-74FP-XFPR
Vulnerability from github – Published: 2022-04-05 18:31 – Updated: 2025-04-14 22:07
VLAI
Summary
Insecure default value for CORS configuration
Details
Impact
The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.
Patches
The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0
Workarounds
Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.
For more information
If you have any questions or comments about this advisory: * Open an issue in directus/directus * Email us at security@directus.io
Severity
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.7.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-26969"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-05T18:31:22Z",
"nvd_published_at": "2022-12-26T06:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nThe default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn\u0027t been changed.\n\n### Patches\n\nThe default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0\n\n### Workarounds\n\nConfigure the CORS environment variables to match your project\u0027s usage, rather than leaving them at the (permissive) defaults.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [directus/directus](https://github.com/directus/directus)\n* Email us at [security@directus.io](mailto:security@directus.io)",
"id": "GHSA-g27j-74fp-xfpr",
"modified": "2025-04-14T22:07:39Z",
"published": "2022-04-05T18:31:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26969"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/pull/12022"
},
{
"type": "WEB",
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/releases/tag/v9.7.0"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insecure default value for CORS configuration"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…