CVE-2024-39896 (GCVE-0-2024-39896)
Vulnerability from cvelistv5 – Published: 2024-07-08 17:27 – Updated: 2024-08-02 04:33
VLAI?
Title
Directus allows SSO User Enumeration
Summary
Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:monospace:directus:9.11.0:*:*:*:*:node.js:*:*"
],
"defaultStatus": "unknown",
"product": "directus",
"vendor": "monospace",
"versions": [
{
"lessThan": "10.13.0",
"status": "affected",
"version": "9.11.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39896",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-30T18:30:43.516471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-30T18:35:32.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:33:11.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v"
},
{
"name": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "directus",
"vendor": "directus",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.11, \u003c 10.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a \"helpful\" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-08T17:27:56.032Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v"
},
{
"name": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2"
}
],
"source": {
"advisory": "GHSA-jgf4-vwc3-r46v",
"discovery": "UNKNOWN"
},
"title": "Directus allows SSO User Enumeration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39896",
"datePublished": "2024-07-08T17:27:56.032Z",
"dateReserved": "2024-07-02T19:37:18.599Z",
"dateUpdated": "2024-08-02T04:33:11.337Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2\", \"name\": \"https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:33:11.337Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-39896\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-30T18:30:43.516471Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:monospace:directus:9.11.0:*:*:*:*:node.js:*:*\"], \"vendor\": \"monospace\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.11.0\", \"lessThan\": \"10.13.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-30T18:35:27.990Z\"}}], \"cna\": {\"title\": \"Directus allows SSO User Enumeration\", \"source\": {\"advisory\": \"GHSA-jgf4-vwc3-r46v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"directus\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 9.11, \u003c 10.13.0\"}]}], \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2\", \"name\": \"https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a \\\"helpful\\\" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-08T17:27:56.032Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-39896\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T04:33:11.337Z\", \"dateReserved\": \"2024-07-02T19:37:18.599Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-08T17:27:56.032Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-JGF4-VWC3-R46V
Vulnerability from github – Published: 2024-07-08 18:41 – Updated: 2024-07-08 18:41
VLAI?
Summary
Directus Allows Single Sign-On User Enumeration
Details
Impact
When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider.
Reproduction
- Create a user using a SSO provider
test@directus.io. - Try to log-in using the regular login form (or the API)
- When using a valid email address
| APP | API |
|---|---|
- When using an invalid email address
| APP | API |
|---|---|
- Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user.
Workarounds
When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable AUTH_DISABLE_DEFAULT="true"
References
Implemented as feature in https://github.com/directus/directus/pull/13184 https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "directus"
},
"ranges": [
{
"events": [
{
"introduced": "9.11"
},
{
"fixed": "10.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-39896"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-08T18:41:57Z",
"nvd_published_at": "2024-07-08T18:15:08Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a \"helpful\" error that the user belongs to another provider.\n\n### Reproduction\n\n1. Create a user using a SSO provider `test@directus.io`.\n2. Try to log-in using the regular login form (or the API)\n3. When using a valid email address\n\n| **APP** | **API** |\n| --- | --- |\n|  |  |\n\n4. When using an invalid email address\n\n| **APP** | **API** |\n| --- | --- |\n|  |  |\n\n5. Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user.\n\n### Workarounds\nWhen only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable `AUTH_DISABLE_DEFAULT=\"true\"`\n\n### References\nImplemented as feature in https://github.com/directus/directus/pull/13184\nhttps://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account\n",
"id": "GHSA-jgf4-vwc3-r46v",
"modified": "2024-07-08T18:41:57Z",
"published": "2024-07-08T18:41:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39896"
},
{
"type": "WEB",
"url": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2"
},
{
"type": "PACKAGE",
"url": "https://github.com/directus/directus"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Directus Allows Single Sign-On User Enumeration"
}
FKIE_CVE-2024-39896
Vulnerability from fkie_nvd - Published: 2024-07-08 18:15 - Updated: 2025-01-03 16:30
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "1C808521-9592-4730-A53F-CCBA4486C092",
"versionEndExcluding": "10.13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a \"helpful\" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0."
},
{
"lang": "es",
"value": "Directus es una API y un panel de aplicaciones en tiempo real para administrar el contenido de la base de datos SQL. Cuando se depende de proveedores de SSO en combinaci\u00f3n con la autenticaci\u00f3n local, es posible enumerar los usuarios de SSO existentes en la instancia. Esto es posible porque si existe una direcci\u00f3n de correo electr\u00f3nico en Directus y pertenece a un proveedor de SSO conocido, se generar\u00e1 un error \"helpful\" de que el usuario pertenece a otro proveedor. Esta vulnerabilidad se solucion\u00f3 en 10.13.0."
}
],
"id": "CVE-2024-39896",
"lastModified": "2025-01-03T16:30:43.367",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-08T18:15:08.383",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…