cvelistv5 - CVE-2022-26969

CVE-2022-26969

Vulnerability from cvelistv5

Published

2022-12-26 00:00

Modified

2024-08-03 05:18

Severity ?

Summary

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

References

URL	Tags
cve@mitre.org	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS	Technical Description, Third Party Advisory
cve@mitre.org	https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md	Third Party Advisory
cve@mitre.org	https://github.com/directus/directus/pull/12022	Patch, Third Party Advisory
cve@mitre.org	https://github.com/directus/directus/releases/tag/v9.7.0	Third Party Advisory
cve@mitre.org	https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS	Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/pull/12022	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/releases/tag/v9.7.0	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822	Third Party Advisory

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:18:39.283Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/directus/directus/pull/12022"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-26T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
        },
        {
          "url": "https://github.com/directus/directus/pull/12022"
        },
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
        },
        {
          "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
        },
        {
          "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-26969",
    "datePublished": "2022-12-26T00:00:00",
    "dateReserved": "2022-03-12T00:00:00",
    "dateUpdated": "2024-08-03T05:18:39.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-26969\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-12-26T06:15:10.893\",\"lastModified\":\"2024-11-21T06:54:53.077\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.\"},{\"lang\":\"es\",\"value\":\"En Directus anterior a 9.7.0, la configuraci\u00f3n predeterminada de CORS_ORIGIN y CORS_ENABLED es verdadera.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"9.7.0\",\"matchCriteriaId\":\"29906E73-BA02-4E9B-90C0-F075E73E4DD6\"}]}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/pull/12022\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/releases/tag/v9.7.0\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/pull/12022\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/releases/tag/v9.7.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

gsd-2022-26969

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

Aliases

CVE-2022-26969

Aliases

CVE-2022-26969

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-26969",
    "id": "GSD-2022-26969"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-26969"
      ],
      "details": "In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.",
      "id": "GSD-2022-26969",
      "modified": "2023-12-13T01:19:39.295887Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2022-26969",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "?",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md",
            "refsource": "MISC",
            "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
          },
          {
            "name": "https://github.com/directus/directus/pull/12022",
            "refsource": "MISC",
            "url": "https://github.com/directus/directus/pull/12022"
          },
          {
            "name": "https://github.com/directus/directus/releases/tag/v9.7.0",
            "refsource": "MISC",
            "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
          },
          {
            "name": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822",
            "refsource": "MISC",
            "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS",
            "refsource": "MISC",
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c9.7.0",
          "affected_versions": "All versions before 9.7.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-01-05",
          "description": "In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.",
          "fixed_versions": [
            "9.7.0"
          ],
          "identifier": "CVE-2022-26969",
          "identifiers": [
            "CVE-2022-26969",
            "GHSA-g27j-74fp-xfpr",
            "GMS-2022-677"
          ],
          "not_impacted": "All versions starting from 9.7.0",
          "package_slug": "npm/directus",
          "pubdate": "2022-12-26",
          "solution": "Upgrade to version 9.7.0 or above.",
          "title": "Insecure Defaults",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-26969",
            "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS",
            "https://github.com/directus/directus/releases/tag/v9.7.0",
            "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822",
            "https://github.com/directus/directus/pull/12022",
            "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md",
            "https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr",
            "https://github.com/advisories/GHSA-g27j-74fp-xfpr"
          ],
          "uuid": "49474c61-dbf8-4445-a743-423416b19a03"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions before 9.7.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-04-06",
          "description": "### Impact\n\nThe default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn\u0027t been changed.\n\n### Patches\n\nThe default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0\n\n### Workarounds\n\nConfigure the CORS environment variables to match your project\u0027s usage, rather than leaving them at the (permissive) defaults.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [directus/directus](https://github.com/directus/directus)\n* Email us at [security@directus.io](mailto:security@directus.io)\n",
          "fixed_versions": [
            "9.7.0"
          ],
          "identifier": "GMS-2022-677",
          "identifiers": [
            "GHSA-g27j-74fp-xfpr",
            "GMS-2022-677",
            "CVE-2022-26969"
          ],
          "not_impacted": "All versions starting from 9.7.0",
          "package_slug": "npm/directus",
          "pubdate": "2022-04-05",
          "solution": "Upgrade to version 9.7.0 or above.",
          "title": "Duplicate of ./npm/directus/CVE-2022-26969.yml",
          "urls": [
            "https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr",
            "https://github.com/directus/directus/pull/12022",
            "https://github.com/advisories/GHSA-g27j-74fp-xfpr"
          ],
          "uuid": "bd3acaa7-ca02-48cf-9f04-39c0af674fbd"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.7.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2022-26969"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS",
              "refsource": "MISC",
              "tags": [
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
            },
            {
              "name": "https://github.com/directus/directus/releases/tag/v9.7.0",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
            },
            {
              "name": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
            },
            {
              "name": "https://github.com/directus/directus/pull/12022",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/directus/directus/pull/12022"
            },
            {
              "name": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-01-05T17:47Z",
      "publishedDate": "2022-12-26T06:15Z"
    }
  }
}

fkie_cve-2022-26969

Vulnerability from fkie_nvd

Published

2022-12-26 06:15

Modified

2024-11-21 06:54

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.

References

URL	Tags
cve@mitre.org	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS	Technical Description, Third Party Advisory
cve@mitre.org	https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md	Third Party Advisory
cve@mitre.org	https://github.com/directus/directus/pull/12022	Patch, Third Party Advisory
cve@mitre.org	https://github.com/directus/directus/releases/tag/v9.7.0	Third Party Advisory
cve@mitre.org	https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS	Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/pull/12022	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/releases/tag/v9.7.0	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822	Third Party Advisory

Impacted products

	Vendor	Product	Version
	monospace	directus	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "29906E73-BA02-4E9B-90C0-F075E73E4DD6",
              "versionEndExcluding": "9.7.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true."
    },
    {
      "lang": "es",
      "value": "En Directus anterior a 9.7.0, la configuraci\u00f3n predeterminada de CORS_ORIGIN y CORS_ENABLED es verdadera."
    }
  ],
  "id": "CVE-2022-26969",
  "lastModified": "2024-11-21T06:54:53.077",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-26T06:15:10.893",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/pull/12022"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/pull/12022"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-g27j-74fp-xfpr

Vulnerability from github

Published

2022-04-05 18:31

Modified

2023-01-10 00:37

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Insecure default value for CORS configuration

Details

Impact

The default value for the CORS_ENABLED and CORS_ORIGIN configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn't been changed.

Patches

The default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0

Workarounds

Configure the CORS environment variables to match your project's usage, rather than leaving them at the (permissive) defaults.

For more information

If you have any questions or comments about this advisory: * Open an issue in directus/directus * Email us at security@directus.io

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-26969"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2022-04-05T18:31:22Z",
    "nvd_published_at": "2022-12-26T06:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe default value for the `CORS_ENABLED` and `CORS_ORIGIN` configuration was set to be very permissive by default. This could lead to unauthorized access in uncontrolled environments when the configuration hasn\u0027t been changed.\n\n### Patches\n\nThe default values for CORS have been changed in https://github.com/directus/directus/pull/12022 which is released under 9.7.0\n\n### Workarounds\n\nConfigure the CORS environment variables to match your project\u0027s usage, rather than leaving them at the (permissive) defaults.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [directus/directus](https://github.com/directus/directus)\n* Email us at [security@directus.io](mailto:security@directus.io)\n",
  "id": "GHSA-g27j-74fp-xfpr",
  "modified": "2023-01-10T00:37:19Z",
  "published": "2022-04-05T18:31:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-g27j-74fp-xfpr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26969"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/pull/12022"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/blob/8daed9c41baeaf1d08c1e292bf9f0dcef65e48fb/docs/configuration/config-options.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v9.7.0"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2441822"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insecure default value for CORS configuration"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2022-26969

Vulnerability from cvelistv5

gsd-2022-26969

Vulnerability from gsd

fkie_cve-2022-26969

Vulnerability from fkie_nvd

ghsa-g27j-74fp-xfpr

Vulnerability from github

Impact

Patches

Workarounds

For more information

Tags

Sightings

Nomenclature