SB2022062716 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 2 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2022-23080)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in the media upload functionality. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

2) Improper access control (CVE-ID: CVE-2022-26969)

The vulnerability allows a remote attacker to gain unauthorized access.

The vulnerability exists due to improper access control in the CORS configuration when handling cross-origin requests with permissive default settings. A remote attacker can induce a victim to access the application from an unauthorized origin to gain unauthorized access.

The issue occurs in uncontrolled environments when the default CORS configuration has not been changed, and user interaction is required.

Remediation

Install update from vendor's website.

References

• https://www.mend.io/vulnerability-database/CVE-2022-23080
• https://github.com/directus/directus/commit/6da3f1ed5034115b1da00440008351bf0d808d83
• https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr
• https://github.com/advisories/GHSA-g27j-74fp-xfpr