ghsa-pmf4-v838-29hg
Vulnerability from github
Published
2025-01-23 22:35
Modified
2025-02-11 22:09
Severity ?
5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary
Directus allows privilege escalation using Share feature
Details

Summary

When sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.

Details

Specifying role on share should be available only for admins. The current flow has a security flaw.

Each other role should allow to share only in the context of the same role. As there is no role hierarchy in Directus, it is impossible to tell which role is higher or lower, so only admins should be able to specify the role for share.

Optionally, instead of specifying a role, shareer* should be able to specify which fields (limited to fields shareer sees) are available on shared item. Similarily to import.

*shareer - a person that creates a share link to item

PoC

  1. Create a collection with a secret field.
  2. Create role A that sees the secret field
  3. Create role B that does not see the secret field, but can use share feature.
  4. Create item with secret field filled.
  5. Use account with role B to share the object as role A and gain unauthorized access to secret value.

Here's video example: https://www.youtube.com/watch?v=DbV4IxbWzN4 I had to upload it to YouTube, because GitHub allows only 10MB videos.

Impact

Impacted are instances that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@directus/app"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "13.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-23T22:35:52Z",
    "nvd_published_at": "2025-01-23T18:15:33Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen sharing an item, user can specify an arbitrary role. It allows user to use a higher-privileged role to see fields that otherwise the user should not be able to see.\n\n### Details\nSpecifying `role` on share should be available only for admins. The current flow has a security flaw.\n\nEach other role should allow to share only in the context of the same role. As there is no role hierarchy in Directus, it is impossible to tell which role is _higher_ or _lower_, so only admins should be able to specify the role for share.\n\nOptionally, instead of specifying a role, shareer* should be able to specify which fields (limited to fields shareer sees) are available on shared item. Similarily to import.\n\n*_shareer_ - a person that creates a share link to item\n\n### PoC\n1. Create a collection with a secret field. \n2. Create role A that sees the secret field\n3. Create role B that does not see the secret field, but can use share feature.\n4. Create item with secret field filled. \n5. Use account with role B to share the object as role A and gain unauthorized access to secret value.\n\nHere\u0027s video example: https://www.youtube.com/watch?v=DbV4IxbWzN4\nI had to upload it to YouTube, because GitHub allows only 10MB videos.\n\n### Impact\nImpacted are instances that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles.",
  "id": "GHSA-pmf4-v838-29hg",
  "modified": "2025-02-11T22:09:20Z",
  "published": "2025-01-23T22:35:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-pmf4-v838-29hg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24353"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/pull/23716"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/commit/e288a43a79613dada905da683f4919c6965ac804"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    },
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/releases/tag/v11.2.0"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=DbV4IxbWzN4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus allows privilege escalation using Share feature"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.