GHSA-jgf4-vwc3-r46v

Suggest an improvement
Source
https://github.com/advisories/GHSA-jgf4-vwc3-r46v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-jgf4-vwc3-r46v/GHSA-jgf4-vwc3-r46v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jgf4-vwc3-r46v
Aliases
Related
Published
2024-07-08T18:41:57Z
Modified
2024-07-08T18:58:08.846992Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Directus Allows Single Sign-On User Enumeration
Details

Impact

When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider.

Reproduction

  1. Create a user using a SSO provider test@directus.io.
  2. Try to log-in using the regular login form (or the API)
  3. When using a valid email address

| APP | API | | --- | --- | | image | image |

  1. When using an invalid email address

| APP | API | | --- | --- | | image | image |

  1. Using this differing error it is possible to determine whether a specific email address is present in the Directus instance as an SSO user.

Workarounds

When only using SSO for authentication then you can work around this issue by disabling local login using the following environment variable AUTH_DISABLE_DEFAULT="true"

References

Implemented as feature in https://github.com/directus/directus/pull/13184 https://owasp.org/www-project-web-security-testing-guide/v42/4-WebApplicationSecurityTesting/03-IdentityManagementTesting/04-TestingforAccountEnumerationandGuessableUserAccount

Database specific 
{
    "nvd_published_at": "2024-07-08T18:15:08Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-08T18:41:57Z"
}
References

Affected packages

npm / directus

Package

Name
directus
View open source insights on deps.dev
Purl
pkg:npm/directus

Affected ranges

Type
SEMVER
Events
Introduced
9.11
Fixed
10.13.0