GHSA-G27J-74FP-XFPR

Vulnerability from github – Published: 2022-04-05 18:31 – Updated: 2025-04-14 22:07
VLAI
Summary
Insecure default value for CORS configuration
Details

Impact

The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.

Patches

The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0

Workarounds

Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.

For more information

If you have any questions or comments about this advisory: * Open an issue in directus/directus * Email us at security@directus.io

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26969"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-942"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-05T18:31:22Z",
    "nvd_published_at": "2022-12-26T06:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn\u0027t been changed.\n\n### Patches\n\nThe default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0\n\n### Workarounds\n\nConfigure the CORS environment variables to match your project\u0027s usage, rather than leaving them at the (permissive) defaults.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [directus/directus](https://github.com/directus/directus)\n* Email us at [security@directus.io](mailto:security@directus.io)",
  "id": "GHSA-g27j-74fp-xfpr",
  "modified": "2025-04-14T22:07:39Z",
  "published": "2022-04-05T18:31:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/pull/12022"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure default value for CORS configuration"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…