GHSA-PMF4-V838-29HG

Vulnerability from github – Published: 2025-01-23 22:35 – Updated: 2025-02-11 22:09
VLAI?
Summary
Directus allows privilege escalation using Share feature
Details

Summary

When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.

Details

Specifying role on share should be available only for admins. The current flow has a security flaw.

Each other role should allow to share only in the context of the same role. As there is no role hierarchy in Directus, it is impossible to tell which role is higher or lower, so only admins should be able to specify the role for share.

Optionally, instead of specifying a role, shareer* should be able to specify which fields (limited to fields shareer sees) are available on shared item. Similarily to import.

*shareer - a person that creates a share link to item

PoC

  1. Create a collection with a secret field.
  2. Create role A that sees the secret field
  3. Create role B that does not see the secret field, but can use share feature.
  4. Create item with secret field filled.
  5. Use account with role B to share the object as role A and gain unauthorized access to secret value.

Here's video example: https://www.youtube.com/watch?v=DbV4IxbWzN4 I had to upload it to YouTube, because GitHub allows only 10MB videos.

Impact

Impacted are instances that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles.

Severity ?
5.0 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-23T22:35:52Z",
    "nvd_published_at": "2025-01-23T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.\n\n### Details\nSpecifying `role` on share should be available only for admins. The current flow has a security flaw.\n\nEach other role should allow to share only in the context of the same role. As there is no role hierarchy in Directus, it is impossible to tell which role is _higher_ or _lower_, so only admins should be able to specify the role for share.\n\nOptionally, instead of specifying a role, shareer* should be able to specify which fields (limited to fields shareer sees) are available on shared item. Similarily to import.\n\n*_shareer_ - a person that creates a share link to item\n\n### PoC\n1. Create a collection with a secret field. \n2. Create role A that sees the secret field\n3. Create role B that does not see the secret field, but can use share feature.\n4. Create item with secret field filled. \n5. Use account with role B to share the object as role A and gain unauthorized access to secret value.\n\nHere\u0027s video example: https://www.youtube.com/watch?v=DbV4IxbWzN4\nI had to upload it to YouTube, because GitHub allows only 10MB videos.\n\n### Impact\nImpacted are instances that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles.",
  "id": "GHSA-pmf4-v838-29hg",
  "modified": "2025-02-11T22:09:20Z",
  "published": "2025-01-23T22:35:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/pull/23716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v11.2.0"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=DbV4IxbWzN4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus allows privilege escalation using Share feature"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.