CVE-2023-38503

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. As a workaround, disable GraphQL subscriptions.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/directus/directus/pull/19155	Patch
https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*

History

03 Aug 2023, 15:33

Type	Values Removed	Values Added
CPE		cpe:2.3:a:monospace:directus::::::node.js::*
First Time		Monospace Monospace directus
CWE	~~CWE-200~~	CWE-863
References	~~(MISC) https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98 -~~	(MISC) https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98 - Vendor Advisory
References	~~(MISC) https://github.com/directus/directus/pull/19155 -~~	(MISC) https://github.com/directus/directus/pull/19155 - Patch
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

25 Jul 2023, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-25 23:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-38503

Mitre link : CVE-2023-38503

CVE.ORG link : CVE-2023-38503

JSON object : View

Products Affected

monospace

directus

CWE

CWE-863

Incorrect Authorization

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2023-38503", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.1}]}, "published": "2023-07-25T23:15:10.183", "references": [{"url": "https://github.com/directus/directus/pull/19155", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/directus/directus/security/advisories/GHSA-gggm-66rh-pp98", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.3.0 and prior to version 10.5.0, the permission filters (i.e. `user_created IS $CURRENT_USER`) are not properly checked when using GraphQL subscription resulting in unauthorized users getting event on their subscription which they should not be receiving according to the permissions. This can be any collection but out-of-the box the `directus_users` collection is configured with such a permissions filter allowing you to get updates for other users when changes happen. Version 10.5.0 contains a patch. As a workaround, disable GraphQL subscriptions."}], "lastModified": "2023-08-03T15:33:06.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A6A7550C-6C94-45D1-B2C4-717DFBF4F612", "versionEndExcluding": "10.5.0", "versionStartIncluding": "10.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}