GHSA-JGF4-VWC3-R46V

Vulnerability from github – Published: 2024-07-08 18:41 – Updated: 2024-07-08 18:41
VLAI?
Summary
Directus Allows Single Sign-On User Enumeration
Details

Impact

When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider.

Reproduction

  1. Create a user using a SSO provider test@directus.io.
  2. Try to log-in using the regular login form (or the API)
  3. When using a valid email address
APP API
image image
  1. When using an invalid email address
APP API
image image
  1. Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user.

Workarounds

When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable AUTH_DISABLE_DEFAULT="true"

References

Implemented as feature in https://github.com/directus/directus/pull/13184 https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.11"
            },
            {
              "fixed": "10.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-08T18:41:57Z",
    "nvd_published_at": "2024-07-08T18:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a \"helpful\" error that the user belongs to another provider.\n\n### Reproduction\n\n1. Create a user using a SSO provider `test@directus.io`.\n2. Try to log-in using the regular login form (or the API)\n3. When using a valid email address\n\n| **APP** | **API** |\n| --- | --- |\n| ![image](https://github.com/directus/directus/assets/9389634/1da3301d-226f-46a7-bfb8-3f6fb9bc55cd) | ![image](https://github.com/directus/directus/assets/9389634/50cab310-7d1c-4241-a6be-d06542565767) |\n\n4. When using an invalid email address\n\n| **APP** | **API** |\n| --- | --- |\n| ![image](https://github.com/directus/directus/assets/9389634/7b97659e-b49c-410b-872e-e36786b6e41e) | ![image](https://github.com/directus/directus/assets/9389634/d26ccba7-bb27-437e-991e-99c10941bbe7) |\n\n5. Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user.\n\n### Workarounds\nWhen only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable `AUTH_DISABLE_DEFAULT=\"true\"`\n\n### References\nImplemented as feature in https://github.com/directus/directus/pull/13184\nhttps://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account\n",
  "id": "GHSA-jgf4-vwc3-r46v",
  "modified": "2024-07-08T18:41:57Z",
  "published": "2024-07-08T18:41:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39896"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Directus Allows Single Sign-On User Enumeration"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.