Products
Directus
- 10.13.0
Source
security-advisories@github.com
Tags
CVE-2024-39896 details
Published : July 8, 2024, 6:15 p.m.
Last Modified : July 8, 2024, 6:15 p.m.
Last Modified : July 8, 2024, 6:15 p.m.
Description
Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7.5 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
7.5
Exploitability Score
3.9
Impact Score
3.6
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References
| URL | Source |
|---|---|
| https://github.com/directus/directus/commit/454cb534d6ffa547feb11f4d74b932ae7368dae2 | security-advisories@github.com |
| https://github.com/directus/directus/security/advisories/GHSA-jgf4-vwc3-r46v | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.