SB2024100897 - Multiple vulnerabilities in Directus

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2024-6534)

The vulnerability allows a remote user to modify preset assignments for another user.

The vulnerability exists due to improper access control in the PATCH /presets/{id} endpoint when handling preset update requests. A remote user can send a specially crafted PATCH request to modify preset assignments for another user.

User interaction is required for the modified preset to be rendered when the victim visits the affected view.

2) Use of cache containing sensitive information (CVE-ID: CVE-2024-45596)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper caching in OpenID and OAuth2 authentication callback endpoints when handling authentication requests without the redirect query string. A remote attacker can initiate a login flow through a crafted SSO callback URL to disclose sensitive information.

Exploitation requires cache to be enabled and user interaction to complete the authentication flow.

3) Improper access control (CVE-ID: CVE-2024-46990)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the localhost IP filter when validating outbound requests against loopback addresses. A remote user can use an alternative loopback address to disclose sensitive information.

The issue affects deployments relying on the default 0.0.0.0 filter to block localhost access.

4) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2024-47822)

The vulnerability allows a local privileged user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log files in request query logging when handling requests with an access token in the query string while raw logging is enabled. A local privileged user can send a request containing an access token in the query string to disclose sensitive information.

Only instances with LOG_STYLE set to raw are vulnerable. User interaction is required.

Remediation

Install update from vendor's website.

References

• https://github.com/directus/directus/security/advisories/GHSA-3fff-gqw3-vj86
• https://github.com/directus/directus/security/advisories/GHSA-cff8-x7jv-4fm8
• https://github.com/advisories/GHSA-cff8-x7jv-4fm8
• https://github.com/directus/directus/security/advisories/GHSA-68g8-c275-xf2m
• https://github.com/directus/directus/security/advisories/GHSA-vw58-ph65-6rxp