SB2023030662 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 2 vulnerabilities.

1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-26492)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in the /files/import endpoint when importing a file from a remote web server. A remote user can send a specially crafted file import request using dns rebinding to disclose sensitive information.

The issue can also be used to perform local port scanning, and exploitation may expose internal metadata services such as the AWS instance metadata API.

2) Cross-site scripting (CVE-ID: CVE-2023-27474)

The vulnerability allows a remote attacker to inject HTML content into password reset emails.

The vulnerability exists due to improper neutralization of input during web page generation in the password reset email handling for custom reset URLs when processing query parameters in the reset URL. A remote attacker can supply a specially crafted reset URL with malicious query parameters to inject HTML content into password reset emails.

Only instances relying on an allow-listed custom reset URL are vulnerable.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h
• https://github.com/directus/directus/security/advisories/GHSA-4hmq-ggrm-qfc6