CVE-2023-27481

Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`.

CVSS v3.0 4.3 MEDIUM

4.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/directus/directus/pull/15010	Patch Vendor Advisory
https://github.com/directus/directus/pull/14829	Patch Vendor Advisory
https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf	Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

Information

Published : 2023-03-07 11:15

Updated : 2023-03-14 09:39

NVD link : CVE-2023-27481

Mitre link : CVE-2023-27481

JSON object : View

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Advertisement

Products Affected

monospace

directus

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/directus/directus/pull/15010", "name": "https://github.com/directus/directus/pull/15010", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://github.com/directus/directus/pull/14829", "name": "https://github.com/directus/directus/pull/14829", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf", "name": "https://github.com/directus/directus/security/advisories/GHSA-m5q3-8wgf-x8xf", "tags": ["Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. In versions prior to 9.16.0 users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. Accounts cannot be taken over unless the hashes can be reversed which is unlikely with current hardware. This problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator in version 9.16.0. Users are advised to upgrade. Users unable to upgrade may mitigate this issue by ensuring that no user has `read` access to the `password` field in `directus_users`."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-200"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-27481", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}}, "publishedDate": "2023-03-07T19:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "9.16.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-03-14T16:39Z"}