SB2024030162 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2024-27296)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in compiled JS bundles when accessing them without authentication. A remote attacker can retrieve the exact Directus version number to disclose sensitive information.

The disclosed information is the exact running Directus version number.

2) Improper access control (CVE-ID: CVE-2024-27295)

The vulnerability allows a remote attacker to gain unauthorized access to another user's account.

The vulnerability exists due to improper access control in the password reset mechanism when handling password reset requests with accent-confusable email addresses under accent-insensitive MySQL or MariaDB comparisons. A remote attacker can submit a crafted password reset request to gain unauthorized access to another user's account.

Exploitation requires knowledge of the victim's email address and control of a similar email address that differs by accented characters.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-5mhg-wv8w-p59j
• https://github.com/directus/directus/security/advisories/GHSA-qw9g-7549-7wg5