cvelistv5 - cve-2023-26492

cve-2023-26492

Vulnerability from cvelistv5

Published

2023-03-03 21:49

Modified

2025-02-25 15:02

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Summary

Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.

References

URL	Tags
security-advisories@github.com	https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff	Patch
security-advisories@github.com	https://github.com/directus/directus/releases/tag/v9.23.0	Release Notes
security-advisories@github.com	https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/releases/tag/v9.23.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	directus	directus	Version: < 9.23.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:53:53.737Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
          },
          {
            "name": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
          },
          {
            "name": "https://github.com/directus/directus/releases/tag/v9.23.0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-26492",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:30:38.278424Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T15:02:38.689Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "directus",
          "vendor": "directus",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 9.23.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-03T21:49:02.314Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
        },
        {
          "name": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
        },
        {
          "name": "https://github.com/directus/directus/releases/tag/v9.23.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
        }
      ],
      "source": {
        "advisory": "GHSA-j3rg-3rgm-537h",
        "discovery": "UNKNOWN"
      },
      "title": "Directus vulnerable to Server-Side Request Forgery On File Import"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-26492",
    "datePublished": "2023-03-03T21:49:02.314Z",
    "dateReserved": "2023-02-23T23:22:58.577Z",
    "dateUpdated": "2025-02-25T15:02:38.689Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-26492\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-03T22:15:09.987\",\"lastModified\":\"2024-11-21T07:51:37.847\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"9.23.0\",\"matchCriteriaId\":\"FE4E8128-9B99-485D-9968-DD5B99AFE9D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/directus/directus/releases/tag/v9.23.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/directus/directus/releases/tag/v9.23.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff\", \"name\": \"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/directus/directus/releases/tag/v9.23.0\", \"name\": \"https://github.com/directus/directus/releases/tag/v9.23.0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:53:53.737Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-26492\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:30:38.278424Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T14:30:39.908Z\"}}], \"cna\": {\"title\": \"Directus vulnerable to Server-Side Request Forgery On File Import\", \"source\": {\"advisory\": \"GHSA-j3rg-3rgm-537h\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"directus\", \"product\": \"directus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 9.23.0\"}]}], \"references\": [{\"url\": \"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h\", \"name\": \"https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff\", \"name\": \"https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/directus/directus/releases/tag/v9.23.0\", \"name\": \"https://github.com/directus/directus/releases/tag/v9.23.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-918\", \"description\": \"CWE-918: Server-Side Request Forgery (SSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-03-03T21:49:02.314Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-26492\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T15:02:38.689Z\", \"dateReserved\": \"2023-02-23T23:22:58.577Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-03-03T21:49:02.314Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2023-26492

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-26492

Aliases

CVE-2023-26492

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-26492",
    "id": "GSD-2023-26492"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-26492"
      ],
      "details": "Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.",
      "id": "GSD-2023-26492",
      "modified": "2023-12-13T01:20:53.710866Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-26492",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "directus",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 9.23.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "directus"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-918",
                "lang": "eng",
                "value": "CWE-918: Server-Side Request Forgery (SSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h",
            "refsource": "MISC",
            "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
          },
          {
            "name": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff",
            "refsource": "MISC",
            "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
          },
          {
            "name": "https://github.com/directus/directus/releases/tag/v9.23.0",
            "refsource": "MISC",
            "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-j3rg-3rgm-537h",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c9.23.0",
          "affected_versions": "All versions before 9.23.0",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-918",
            "CWE-937"
          ],
          "date": "2023-03-10",
          "description": "Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.",
          "fixed_versions": [
            "9.23.1"
          ],
          "identifier": "CVE-2023-26492",
          "identifiers": [
            "CVE-2023-26492",
            "GHSA-j3rg-3rgm-537h"
          ],
          "not_impacted": "All versions starting from 9.23.0",
          "package_slug": "npm/directus",
          "pubdate": "2023-03-03",
          "solution": "Upgrade to version 9.23.1 or above.",
          "title": "Server-Side Request Forgery (SSRF)",
          "urls": [
            "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h",
            "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff",
            "https://github.com/directus/directus/releases/tag/v9.23.0",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-26492",
            "https://github.com/advisories/GHSA-j3rg-3rgm-537h"
          ],
          "uuid": "0ab0989c-4f66-4991-b4ca-119bd8d74434"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndExcluding": "9.23.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-26492"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-918"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
            },
            {
              "name": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
            },
            {
              "name": "https://github.com/directus/directus/releases/tag/v9.23.0",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-03-10T14:55Z",
      "publishedDate": "2023-03-03T22:15Z"
    }
  }
}

ghsa-j3rg-3rgm-537h

Vulnerability from github

Published

2023-03-03 23:07

Modified

2023-03-06 01:44

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Summary

Directus vulnerable to Server-Side Request Forgery On File Import

Details

Summary

Directus versions <=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to /files/import). An attacker can bypass the security controls that were implemented to patch vulnerability CVE-2022-23080 by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan (eg. can access internal metadata API for AWS at http://169.254.169.254 event if 169.254.169.254 is in the deny IP list).

Details

DNS rebinding attacks work by running a DNS name server that resolves two different IP addresses when a domain is resolved simultaneously. This type of attack can be exploited to bypass the IP address deny list validation that was added to /api/src/services/file.ts for the function importOne to mitigate the previous SSRF vulnerability CVE-2022-23080. The validation in /api/src/services/file.ts first checks if the resolved IP address for a domain name does not a resolve to an IP address in the deny list:

```js let ip = resolvedUrl.hostname;

if (net.isIP(ip) === 0) { try { ip = (await lookupDNS(ip)).address; } catch (err: any) { logger.warn(err, Couldn't lookup the DNS for url ${importURL}); throw new ServiceUnavailableException(Couldn't fetch file from url "${importURL}", { service: 'external-file', }); } }

if (env.IMPORT_IP_DENY_LIST.includes('0.0.0.0')) { const networkInterfaces = os.networkInterfaces();

for (const networkInfo of Object.values(networkInterfaces)) {
    if (!networkInfo) continue;

    for (const info of networkInfo) {
        if (info.address === ip) {
            logger.warn(`Requested URL ${importURL} resolves to localhost.`);
            throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, {
                service: 'external-file',
            });
        }
    }
}

}

if (env.IMPORT_IP_DENY_LIST.includes(ip)) { logger.warn(Requested URL ${importURL} resolves to a denied IP address.); throw new ServiceUnavailableException(Couldn't fetch file from url "${importURL}", { service: 'external-file', }); } ```

Once it validates that the resolved IP address is not in the deny list, then it uses axios to GET the url and saves the response content.

js try { fileResponse = await axios.get<Readable>(encodeURL(importURL), { responseType: 'stream', }); } catch (err: any) { logger.warn(err, `Couldn't fetch file from url "${importURL}"`); throw new ServiceUnavailableException(`Couldn't fetch file from url "${importURL}"`, { service: 'external-file', }); }

However, this validation check and fetching the web resource causes to DNS queries that enable a DNS rebinding attack. On the first DNS query, an attacker controlled name server can be configured to resolve to an external IP address that is not in the deny list to bypass the validation. Then when axios is called, the name server resolves the domain name to a local IP address.

PoC

To demonstrate we will be using an online tool named rebinder. Rebinder randomly changes the IP address it resolves to depending on the subdomain. For an example, 7f000001.8efa468e.rbndr.us can resolve to either 142.250.70.142 (google.com) or 127.0.0.1. Sending multiple POST requests to /files/import using this domain will eventually cause a resolution to 142.250.70.142 first to bypass the validation then fetch the sensitive from an internal server when axios is called.

The following screenshots show what it looks like when a successful attack occurs.

Downloading a file named secret.txt from a webserver running from http://127.0.0.1/secret.txt

Receiving the request from the internal server. Note that the incoming connection is from 127.0.0.1.

After downloading the file it leaks the content of the secret file.

Impact

An attacker can exploit this vulnerability to access highly sensitive internal server and steal sensitive information. An example is on Cloud Environments that utilise internal APIs for managing machine and privileges. For an example, if directus is hosted on AWS EC2 instance and has an IAM role assigned to the EC2 instance then an attacker can exploit this vulnerability to steal the AWS access keys to impersonate the EC2 instance using the AWS API.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.23.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-03T23:07:35Z",
    "nvd_published_at": "2023-03-03T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nDirectus versions \u003c=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls that were implemented to patch vulnerability [CVE-2022-23080](https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2934713) by performing a [DNS rebinding attack](https://en.wikipedia.org/wiki/DNS_rebinding) and view sensitive data from internal servers or perform a local port scan (eg. can access internal metadata API for AWS at `http://169.254.169.254` event if `169.254.169.254` is in the deny IP list).\n\n### Details\nDNS rebinding attacks work by running a DNS name server that resolves two different IP addresses when a domain is resolved simultaneously. This type of attack can be exploited to bypass the IP address deny list validation that was added to [`/api/src/services/file.ts`](https://github.com/directus/directus/blob/main/api/src/services/files.ts) for the function `importOne` to mitigate the previous SSRF vulnerability [CVE-2022-23080](https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2934713). The validation in [`/api/src/services/file.ts`](https://github.com/directus/directus/blob/main/api/src/services/files.ts) first checks if the resolved IP address for a domain name does not a resolve to an IP address in the deny list:\n\n```js\nlet ip = resolvedUrl.hostname;\n\nif (net.isIP(ip) === 0) {\n    try {\n        ip = (await lookupDNS(ip)).address;\n    } catch (err: any) {\n        logger.warn(err, `Couldn\u0027t lookup the DNS for url ${importURL}`);\n        throw new ServiceUnavailableException(`Couldn\u0027t fetch file from url \"${importURL}\"`, {\n            service: \u0027external-file\u0027,\n        });\n    }\n}\n\nif (env.IMPORT_IP_DENY_LIST.includes(\u00270.0.0.0\u0027)) {\n    const networkInterfaces = os.networkInterfaces();\n\n    for (const networkInfo of Object.values(networkInterfaces)) {\n        if (!networkInfo) continue;\n\n        for (const info of networkInfo) {\n            if (info.address === ip) {\n                logger.warn(`Requested URL ${importURL} resolves to localhost.`);\n                throw new ServiceUnavailableException(`Couldn\u0027t fetch file from url \"${importURL}\"`, {\n                    service: \u0027external-file\u0027,\n                });\n            }\n        }\n    }\n}\n\nif (env.IMPORT_IP_DENY_LIST.includes(ip)) {\n    logger.warn(`Requested URL ${importURL} resolves to a denied IP address.`);\n    throw new ServiceUnavailableException(`Couldn\u0027t fetch file from url \"${importURL}\"`, {\n        service: \u0027external-file\u0027,\n    });\n}\n```\n\nOnce it validates that the resolved IP address is not in the deny list, then it uses `axios` to `GET` the url and saves the response content.\n\n```js\ntry {\n    fileResponse = await axios.get\u003cReadable\u003e(encodeURL(importURL), {\n        responseType: \u0027stream\u0027,\n    });\n} catch (err: any) {\n    logger.warn(err, `Couldn\u0027t fetch file from url \"${importURL}\"`);\n    throw new ServiceUnavailableException(`Couldn\u0027t fetch file from url \"${importURL}\"`, {\n        service: \u0027external-file\u0027,\n    });\n}\n```\n\nHowever, this validation check and fetching the web resource causes to DNS queries that enable a DNS rebinding attack. On the first DNS query, an attacker controlled name server can be configured to resolve to an external IP address that is not in the deny list to bypass the validation. Then when `axios` is called, the name server resolves the domain name to a local IP address.\n\n### PoC\nTo demonstrate we will be using an online tool named [rebinder](https://lock.cmpxchg8b.com/rebinder.html). Rebinder randomly changes the IP address it resolves to depending on the subdomain. For an example, `7f000001.8efa468e.rbndr.us` can resolve to either `142.250.70.142` (google.com) or **`127.0.0.1`**. Sending multiple `POST` requests to `/files/import` using this domain will eventually cause a resolution to `142.250.70.142` first to bypass the validation then fetch the sensitive from an internal server when `axios` is called.\n\nThe following screenshots show what it looks like when a successful attack occurs.\n\n*Downloading a file named `secret.txt` from a webserver running from `http://127.0.0.1/secret.txt`*\n![image](https://user-images.githubusercontent.com/6276577/218124035-26f7f0c3-47b3-424d-b4d4-bd3b47161983.png)\n\n*Receiving the request from the internal server. Note that the incoming connection is from **127.0.0.1**.*\n![image](https://user-images.githubusercontent.com/6276577/218124119-87b8d5d6-934d-4e07-be4d-066616a9a435.png)\n\n*After downloading the file it leaks the content of the secret file.*\n![image](https://user-images.githubusercontent.com/6276577/218122210-87b2e478-1081-4830-a9ea-e5d9f39bb129.png)\n\n### Impact\nAn attacker can exploit this vulnerability to access highly sensitive internal server and steal sensitive information. An example is on Cloud Environments that utilise internal APIs for managing machine and privileges. For an example, if `directus` is hosted on AWS EC2 instance and has an IAM role assigned to the EC2 instance then an attacker can exploit this vulnerability to steal the AWS access keys to impersonate the EC2 instance using the AWS API.\n",
  "id": "GHSA-j3rg-3rgm-537h",
  "modified": "2023-03-06T01:44:06Z",
  "published": "2023-03-03T23:07:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus vulnerable to Server-Side Request Forgery On File Import"
}

fkie_cve-2023-26492

Vulnerability from fkie_nvd

Published

2023-03-03 22:15

Modified

2024-11-21 07:51

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff	Patch
security-advisories@github.com	https://github.com/directus/directus/releases/tag/v9.23.0	Release Notes
security-advisories@github.com	https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/releases/tag/v9.23.0	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h	Exploit, Third Party Advisory

Impacted products

	Vendor	Product	Version
	monospace	directus	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:monospace:directus:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "FE4E8128-9B99-485D-9968-DD5B99AFE9D0",
              "versionEndExcluding": "9.23.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0."
    }
  ],
  "id": "CVE-2023-26492",
  "lastModified": "2024-11-21T07:51:37.847",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-03T22:15:09.987",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/directus/directus/commit/ff53d3e69a602d05342e15d9bb616884833ddbff"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/directus/directus/releases/tag/v9.23.0"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/directus/directus/security/advisories/GHSA-j3rg-3rgm-537h"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2023-26492

Vulnerability from cvelistv5

gsd-2023-26492

Vulnerability from gsd

ghsa-j3rg-3rgm-537h

Vulnerability from github

Summary

Details

PoC

Impact

fkie_cve-2023-26492

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature